All advisories

Default installation configuration allows anonymous access to some admin configuration

Affected product(s)

  • Gradle Enterprise 2020.4 - Gradle Enterprise 2021.4.3

Severity

High

Published at

2022-03-24

Related CVE ID(s)

Description

When creating a new Gradle Enterprise installation without specifying an initial configuration file, the default access control settings allow anonymous access to build cache administration and the Export API. This is different to the intended and documented default configuration, which is to only allow viewing and publishing of build scans by anonymous users.

In particular, build cache administration should be restricted to trusted users. An attacker may achieve remote code execution (RCE) by changing the build cache access control settings to allow them to store malicious software in the cache.

As of Gradle Enterprise 2022.1 the anonymous user access control settings are aligned with the documented defaults, disallowing modifying build cache configuration.

Mitigation

Adminstrators should audit the anonymous user access control settings, which can be done via /admin/access/anonymous within Gradle Enterprise.

Upgrading to Gradle Enterprise 2022.1 will not change the existing anonymous access control settings. New installations of Gradle Enterprise 2022.1 or later will use the correct defaults.