CVE-2021-29427Inclusion of Functionality from Untrusted Control Sphere in Gradle

CWE-829Inclusion of Functionality from Untrusted Control Sphere3 documents3 sources
Severity
7.2HIGHNVD
EPSS
0.6%
top 31.79%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
GradleQuarkusDebian Gradle
Timeline
Latest updateApr 9
PublishedApr 13

Description

In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning. Repository content filtering is a security control Gradle introduced to help users specify what repositories are used to resolve specific dependencies. This feature was introduced in the wake of the "A Confusing Dependency" blog post. In some cases, Gradle may ignore content filters and search all repositories for dependencies. This only occurs when rep

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages4 packages

NVDgradle/gradle5.17.0
CVEListV5gradle/gradle>= 5.1, <= 6.8.3
debiandebian/gradle
NVDquarkus/quarkus2.2.3

📋Vendor Advisories

2
Red Hat
gradle: repository content filters do not work in Settings pluginManagement2021-04-09
Debian
CVE-2021-29427: gradle - In Gradle from version 5.1 and before version 7.0 there is a vulnerability which...2021