Unrestricted access to application HTTP endpoint allows arbitrarily emailing installation admin contact and preventing backups
- Gradle Enterprise 2020.4 - 2022.3.1
Related CVE ID(s)
Gradle Enterprise installations before 2022.3.2 inadvertently exposed an internal HTTP endpoint that is used as part of the database backup process. For embedded database installations with backups enabled, a malicious actor could leverage this to prevent backups from occurring and send emails with arbitrary text content to the configured installation administrator contact address.
This endpoint can not be used to send emails to arbitrary recipients or obtain user data.
Gradle Enterprise 2022.3.2 mitigates the vulnerability by preventing unauthorized access to the endpoint.
This can be emulated for earlier versions by blocking external access to the
/backup request path of the application via an external firewall or request router.
As this vulnerability can potentially prevent backups from occurring according to the configured schedule, users using the embedded database and scheduled backups should verify the presence of adequate backups after upgrading or blocking the request path.