CVE-2021-41619: Code Injection
First published: Wed Oct 27 2021(Updated: )
An issue was discovered in Gradle Enterprise before 2021.1.2. There is potential remote code execution via the application startup configuration. The installation configuration user interface (available to administrators) allows specifying arbitrary Java Virtual Machine startup options. Some of these options, such as -XX:OnOutOfMemoryError, allow specifying a command to be run on the host. This can be abused to run arbitrary commands on the host, should an attacker gain administrative access to the application.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Gradle Enterprise | >=2020.4<2021.1.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the vulnerability ID for this issue in Gradle Enterprise?
The vulnerability ID is CVE-2021-41619.
What is the severity of CVE-2021-41619?
The severity of CVE-2021-41619 is critical with a CVSS score of 7.2.
How can remote code execution be achieved through this vulnerability?
Remote code execution can be achieved through the ability to specify arbitrary Java Virtual Machine startup options in the installation configuration user interface.
What versions of Gradle Enterprise are affected by this vulnerability?
Gradle Enterprise versions between 2020.4 and 2021.1.2 are affected by this vulnerability.
Is there a fix available for CVE-2021-41619?
Yes, a fix is available in Gradle Enterprise version 2021.1.2.
- collector/nvd-index
- agent/author
- agent/severity
- agent/references
- agent/weakness
- agent/type
- agent/description
- agent/event
- agent/first-publish-date
- agent/softwarecombine
- agent/tags
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- vendor/gradle
- canonical/gradle enterprise
- version/gradle enterprise/2020.4