CVE-2021-29429 — Insecure Temporary File in Gradle

CWE-377 — Insecure Temporary File CWE-200 — Sensitive Information Exposure4 documents4 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 91.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gradle Quarkus Debian Gradle

Timeline

PublishedApr 12

Description

In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded into the system temporary directory first. Sensitive information contained in these files can be exposed to other local users on the same system. If you do not use the `TextResourceFactory` API, you are…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶NVDgradle/gradle< 7.0

▶debiandebian/gradle

▶NVDquarkus/quarkus2.2.3

🔴Vulnerability Details

OSV

CVE-2021-29429: In Gradle before version 7↗2021-04-12

▶

📋Vendor Advisories

Red Hat

gradle: information disclosure through temporary directory permissions↗2021-04-09

▶

Debian

CVE-2021-29429: gradle - In Gradle before version 7.0, files created with open permissions in the system ...↗2021

▶