CCUD plugins information exposure
Affected product(s)
- All versions of the Gradle plugin prior to 2.3. Fixed in 2.3.
- All versions of the Maven extension prior to 2.0.3. Fixed in 2.0.3.
- All versions of the sbt plugin prior to 1.2. Fixed in 1.2.
Severity
High
Published at
2025-07-21
Related CVE ID(s)
Description
The Common Custom User Data (CCUD) Gradle Plugin, Maven Extension and sbt plugin are widely used to provide additional build data for Build Scans.
The plugins are vulnerable to information disclosure if the provided Git repository URL contains url-encoded user credentials. To exploit this, the plugin or extension user must have configured their build with url-encoded credentials in the URL, and the attacker must have access to the Develocity instance where this information is exposed.
If CCUD plugins are not used, or credentials are not included in URLs, or credentials are not URL-encoded, then no component is affected.
Mitigation
Upgrade the CCUD Gradle plugin to version 2.3 or later, the Maven extension to version 2.0.3 or later, and the sbt plugin to version 1.2 or later.
It is recommended not to use credentials in URLs. If URL encoded credentials were used, then rotate the affected secrets.