CVE-2020-15767: CSRF
First published: Fri Sep 18 2020(Updated: )
An issue was discovered in Gradle Enterprise before 2020.2.5. The cookie used to convey the CSRF prevention token is not annotated with the “secure” attribute, which allows an attacker with the ability to MITM plain HTTP requests to obtain it, if the user mistakenly uses a HTTP instead of HTTPS address to access the server. This cookie value could then be used to perform CSRF.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Gradle Enterprise | <2020.2.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-15767?
CVE-2020-15767 is a vulnerability discovered in Gradle Enterprise before version 2020.2.5.
What is the severity of CVE-2020-15767?
The severity of CVE-2020-15767 is medium with a CVSS score of 5.3.
How does CVE-2020-15767 affect Gradle Enterprise?
CVE-2020-15767 affects Gradle Enterprise before version 2020.2.5.
What is the impact of CVE-2020-15767?
CVE-2020-15767 allows an attacker with the ability to MITM plain HTTP requests to obtain the CSRF prevention token.
How do I fix CVE-2020-15767?
To fix CVE-2020-15767, upgrade to Gradle Enterprise version 2020.2.5 or later.
- collector/nvd-index
- agent/weakness
- agent/severity
- agent/references
- agent/author
- agent/tags
- agent/description
- agent/type
- agent/event
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- vendor/gradle
- canonical/gradle enterprise