CVE-2019-15052 — Insufficiently Protected Credentials in Gradle

CWE-522 — Insufficiently Protected Credentials8 documents6 sources

Severity

9.8CRITICALNVD

EPSS

0.3%

top 45.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gradle Debian Gradle

Timeline

PublishedAug 14

Latest updateMay 24

Description

The HTTP client in Gradle before 5.6 sends authentication credentials originally destined for the configured host. If that host returns a 30x redirect, Gradle also sends those credentials to all subsequent hosts that the request redirects to. This is similar to CVE-2018-1000007.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDgradle/gradle< 5.6

▶debiandebian/gradle

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-xx6j-wqj7-mrv3: The HTTP client in the Build tool in Gradle before 5↗2022-05-24

▶

OSV

CVE-2019-15052: The HTTP client in Gradle before 5↗2019-08-14

▶

📋Vendor Advisories

Red Hat

gradle: sends authentication credentials originally destined for the configured host↗2019-08-14

▶

Debian

CVE-2019-15052: gradle - The HTTP client in Gradle before 5.6 sends authentication credentials originally...↗2019

▶

💬Community

Bugzilla

CVE-2019-15052 gradle: sends authentication credentials originally destined for the configured host [fedora-all]↗2019-09-27

▶

Bugzilla

CVE-2019-15052 gradle: sends authentication credentials originally destined for the configured host↗2019-09-27

▶

Bugzilla

CVE-2019-15052 gradle: sends authentication credentials originally destined for the configured host [epel-6]↗2019-09-27

▶