What is the vulnerability ID for this issue?

The vulnerability ID for this issue is CVE-2021-41589.

What is the severity of CVE-2021-41589?

The severity of CVE-2021-41589 is critical with a score of 9.8.

What is affected by CVE-2021-41589?

Gradle Build Cache Node versions up to exclusive 10.0 and Gradle Enterprise versions up to exclusive 2021.3 are affected by CVE-2021-41589.

How can I fix CVE-2021-41589?

To fix CVE-2021-41589, it is recommended to upgrade to the latest version of Gradle Enterprise (2021.3 or later) or Gradle Build Cache Node (10.0 or later).

Vulnerability/
CVE-2021-41589

critical

9.8

CWE

732

27/10/2021

4/8/2024

CVE-2021-41589

Q: How can this vulnerability be exploited?

This vulnerability can be exploited to perform cache poisoning and remote code execution when running the build cache node with its default configuration.

First published: Wed Oct 27 2021(Updated: )

In Gradle Enterprise before 2021.3 (and Enterprise Build Cache Node before 10.0), there is potential cache poisoning and remote code execution when running the build cache node with its default configuration. This configuration allows anonymous access to the configuration user interface and anonymous write access to the build cache. If access control to the build cache is not changed from the default open configuration, a malicious actor with network access can populate the cache with manipulated entries that may execute malicious code as part of a build process. This applies to the build cache provided with Gradle Enterprise and the separate build cache node service if used. If access control to the user interface is not changed from the default open configuration, a malicious actor can undo build cache access control in order to populate the cache with manipulated entries that may execute malicious code as part of a build process. This does not apply to the build cache provided with Gradle Enterprise, but does apply to the separate build cache node service if used.

Credit: cve@mitre.org

Affected Software	Affected Version	How to fix
Gradle Build Cache Node	<10.0
Gradle Enterprise	<2021.3

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2021-41589.
What is the severity of CVE-2021-41589?
The severity of CVE-2021-41589 is critical with a score of 9.8.
What is affected by CVE-2021-41589?
Gradle Build Cache Node versions up to exclusive 10.0 and Gradle Enterprise versions up to exclusive 2021.3 are affected by CVE-2021-41589.
How can this vulnerability be exploited?
This vulnerability can be exploited to perform cache poisoning and remote code execution when running the build cache node with its default configuration.
How can I fix CVE-2021-41589?
To fix CVE-2021-41589, it is recommended to upgrade to the latest version of Gradle Enterprise (2021.3 or later) or Gradle Build Cache Node (10.0 or later).

collector/nvd-index
agent/references
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/severity
agent/last-modified-date
agent/weakness
agent/author
agent/type
agent/description
agent/first-publish-date
agent/tags
agent/event
vendor/gradle
canonical/gradle build cache node
canonical/gradle enterprise

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.