Non-unique initial system user password may allow unauthorized access to new installation
Affected product(s)
- Gradle Enterprise < 2023.1
Severity
Moderate
Published at
2023-12-04
Related CVE ID(s)
Description
Gradle Enterprise installations offer the ability to sign-in as the “system user”. For manually configured installations, administrators sign in as this user after installing to complete the configuration process, which typically involves creating individual accounts for subsequent use, or configuring integration with an external identity and access management system.
Gradle Enterprise versions prior to 2023.1 use an initial system user password of a well-known default. This password must be changed on first login. An attacker with network access to the user interface of a new installation, and knowledge of the well-known default, can potentially perform the first login before the administrator, gaining unauthorized access.
Installations that were created with an “unattended installation” configuration, where a user-specified system user password other than the well-known initial password is mandatory, are not vulnerable.
Installations where the install and configuration process has been completed manually, where changing the system user password from the well-known initial password is mandatory, are not vulnerable.
Mitigation
Gradle Enterprise 2023.1 and later installations generate a unique initial password which cannot be known by an unauthorized potential attacker. Use of Gradle Enterprise 2023.1 or later is strongly recommended for all new installations.
New installations using an earlier version should use the “unattended installation” process, which requires specifying a system user password that is not the well-known default initial system user password.