Exposure of HTTP proxy password in the Gradle Enterprise administration user interface
Affected product(s)
- Gradle Enterprise 2022.3.3 - 2022.3.4
Severity
Moderate
Published at
2022-11-26
Related CVE ID(s)
Description
Gradle Enterprise can be configured to use an HTTP proxy for all outbound HTTP/HTTPS requests, which may include access credentials. From Gradle Enterprise 2022.3.3 through 2022.3.4, the administration user interface incorrectly reflected the configured password in plaintext. The credentials could be used by an attacker to send HTTP requests through the associated proxy server.
Gradle Enterprise installations not using an HTTP proxy with authentication configured are unaffected. Installations with the HTTP proxy authentication configuration provided in an encrypted format via the Gradle Enterprise unattended configuration mechanism are also unaffected.
Mitigation
As of Gradle Enterprise 2022.3.5, the configured proxy password is no longer reflected in the administration user interface.
Affected installations should consider cycling the password used to connect to the configured HTTP proxy.