CVE-2021-32751OS Command Injection in Gradle

CWE-78OS Command Injection4 documents4 sources
Severity
7.5HIGHNVD
EPSS
0.3%
top 50.89%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
GradleDebian Gradle
Timeline
PublishedJul 20

Description

Gradle is a build tool with a focus on build automation. In versions prior to 7.2, start scripts generated by the `application` plugin and the `gradlew` script are both vulnerable to arbitrary code execution when an attacker is able to change environment variables for the user running the script. This may impact those who use `gradlew` on Unix-like systems or use the scripts generated by Gradle in thieir application on Unix-like systems. For this vulnerability to be exploitable, an attacker need

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages2 packages

NVDgradle/gradle< 7.2
debiandebian/gradle

🔴Vulnerability Details

1
OSV
CVE-2021-32751: Gradle is a build tool with a focus on build automation2021-07-20

📋Vendor Advisories

2
Red Hat
gradle: Arbitrary code execution via specially crafted environment variables2021-07-20
Debian
CVE-2021-32751: gradle - Gradle is a build tool with a focus on build automation. In versions prior to 7....2021