.
All advisories

Cross-Site Request Forgery on Develocity API calls

Affected product(s)

  • Gradle Enterprise / Develocity starting with 2022.1 and up to 2023.4.6. Fixed in 2024.1.

Severity

Moderate

Published at

2024-05-02

Related CVE ID(s)

Description

Develocity introduced an API for extracting build data and automating some administrative tasks in version 2022.1. API operations include reading and modifying some data and settings stored in Develocity. This API also supports authentication with a cookie-based session token, but in vulnerable versions, it does not implement CSRF protection.

The vulnerability allows an external, remote attacker to have a logged in user perform inadvertent changes in a Develocity instance if the user visits a malicious location in a browser that is signed in to Develocity at the same time. Possible changes are limited by the permissions of the user and API functionality. Information disclosure is prevented by the same-origin policy in browsers, not allowing data to be read by the attacker.

For an attacker to be able to exploit this vulnerability, the logged in user must have at least one of the following permissions: Administer Develocity, Configure Build Caches, Administer Projects. Users without these permissions are unaffected.

Mitigation

Upgrade to Develocity 2024.1 or later. Use of the latest Develocity version is strongly recommended for all new installations.