.
All advisories

Credential leak of AWS credentials via local information exposure

Affected product(s)

  • Gradle Enterprise / Develocity starting with 2022.3. Fixed in 2024.2.

Severity

Low

Published at

2024-10-01

Related CVE ID(s)

Description

In Gradle Develocity 2022.3 through 2024.x before 2024.2, a local operating system user who has console access to the pod running the app can print AWS S3 credentials to the console by running a JAR file.

This does not happen by default and needs to be triggered locally.

The credentials are printed to stdout, which may then be ingested by centralized log management and the credentials leaked to logs. This functionality is not available to users of the web app, only to users with access to the Kubernetes pod.

Mitigation

Upgrade to Develocity 2024.2 or later. Use of the latest Develocity version is strongly recommended for all new installations.