Exposure of S3 access credentials in support bundles
- Gradle Enterprise 2022.3 - 2022.3.2
Related CVE ID(s)
Gradle Enterprise can be configured to store Build Scan™ data in an Amazon S3 compatible object store. This configuration may include access credentials. Support bundles generated from Gradle Enterprise 2022.3 through to 2022.3.2 expose these credentials in plaintext. The credentials could be used by an attacker to read and write Build Scan data directly to the object store.
Support bundles are a mechanism used by Gradle Enterprise support to obtain log files and other operational telemetry from a Gradle Enterprise installation. They must be generated by an installation administrator with access to the installation host environment, or via the application administration user interface. The bundle files are typically then shared with Gradle Enterprise support and discarded.
Gradle Enterprise installations not using an Amazon S3 compatible object store for build data are unaffected. Installations using the “instance profile” authentication method are also unaffected.
As of Gradle Enterprise 2022.3.3, the access credentials are encrypted in support bundles.
Affected installations should consider revoking existing credentials and generating and configuring new credentials.