CVE-2020-15777
First published: Tue Aug 25 2020(Updated: )
An issue was discovered in the Maven Extension plugin before 1.6 for Gradle Enterprise. The extension uses a socket connection to send serialized Java objects. Deserialization is not restricted to an allow-list, thus allowing an attacker to achieve code execution via a malicious deserialization gadget chain. The socket is not bound exclusively to localhost. The port this socket is assigned to is randomly selected and is not intentionally exposed to the public (either by design or documentation). This could potentially be used to achieve remote code execution and local privilege escalation.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Gradle Maven | <1.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-15777?
CVE-2020-15777 is a vulnerability in the Maven Extension plugin for Gradle Enterprise.
How severe is CVE-2020-15777?
CVE-2020-15777 has a severity score of 7.8, which is considered high.
How does CVE-2020-15777 work?
CVE-2020-15777 allows an attacker to achieve code execution by sending malicious serialized Java objects via a socket connection.
Which software is affected by CVE-2020-15777?
The Maven Extension plugin for Gradle Enterprise versions up to and excluding 1.6 are affected by CVE-2020-15777.
How can I fix CVE-2020-15777?
To fix CVE-2020-15777, update the Maven Extension plugin to version 1.6 or newer.
- collector/nvd-index
- agent/references
- agent/severity
- agent/author
- agent/type
- agent/weakness
- agent/tags
- agent/event
- agent/description
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- vendor/gradle
- canonical/gradle maven