CVE-2021-29428Creation of Temporary File With Insecure Permissions in Gradle

CWE-378Creation of Temporary File With Insecure PermissionsCWE-379Creation of Temporary File in Directory with Insecure PermissionsCWE-276Incorrect Default Permissions4 documents4 sources
Severity
7.8HIGHNVD
EPSS
0.1%
top 74.69%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
GradleQuarkusDebian Gradle
Timeline
PublishedApr 13

Description

In Gradle before version 7.0, on Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. Gradle builds could be vulnerable to a local privilege escalation from an attacker quickly deleting and recreating files in the system temporary directory. This vulnerability impacted builds using precompiled script plugins written in Kotlin DSL and tests for Gradle plugins written using ProjectBuilder or TestKit.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

NVDgradle/gradle< 7.0
debiandebian/gradle
NVDquarkus/quarkus2.2.3

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

1
OSV
CVE-2021-29428: In Gradle before version 72021-04-13

📋Vendor Advisories

2
Red Hat
gradle: local privilege escalation through system temporary directory2021-04-09
Debian
CVE-2021-29428: gradle - In Gradle before version 7.0, on Unix-like systems, the system temporary directo...2021