System password reset via Admin CLI allows command injection and password leakage

The Gradle Enterprise Admin CLI offers several functions relevant to administrators of a Gradle Enterprise installation. One such function is the ability to reset the system user password for Kubernetes-based installations, via the “system reset-system-password” command. For versions of the Gradle Enterprise Admin CLI earlier than 1.3.1, the password provided to this command is parsed by a command shell, creating the opportunity for command injection, and is used as an argument to a script, allowing the password to be visible for a very brief time via the process list.

Any commands embedded in the password value will be executed within the context of an “enterprise-app” pod instance within the cluster, and only if the user executing the Admin CLI has sufficient administration privileges to execute commands within the container, as determined by the access control of the Kubernetes cluster. Users that do not have sufficient cluster access privileges cannot use this vulnerability to execute commands inside the container.

Similarly, the password is used as an argument to a script that executes within the pod and is only briefly visible as part of the process list within the pod.