Vulnerability Details CVE-2022-25364
In Gradle Enterprise before 2021.4.2, the default built-in build cache configuration allowed anonymous write access. If this was not manually changed, a malicious actor with network access to the build cache could potentially populate it with manipulated entries that execute malicious code as part of a build. As of 2021.4.2, the built-in build cache is inaccessible-by-default, requiring explicit configuration of its access-control settings before it can be used. (Remote build cache nodes are unaffected as they are inaccessible-by-default.)
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 48.0%
CVSS Severity
CVSS v3 Score 8.1
CVSS v2 Score 9.3
References
Products affected by CVE-2022-25364
-
cpe:2.3:a:gradle:enterprise:2017.1
-
cpe:2.3:a:gradle:enterprise:2017.3
-
cpe:2.3:a:gradle:enterprise:2018.2
-
cpe:2.3:a:gradle:enterprise:2018.5
-
cpe:2.3:a:gradle:enterprise:2018.5.1
-
cpe:2.3:a:gradle:enterprise:2018.5.2
-
cpe:2.3:a:gradle:enterprise:2018.5.3
-
cpe:2.3:a:gradle:enterprise:2020.1
-
cpe:2.3:a:gradle:enterprise:2020.2
-
cpe:2.3:a:gradle:enterprise:2020.2.4
-
cpe:2.3:a:gradle:enterprise:2020.2.5
-
cpe:2.3:a:gradle:enterprise:2020.4
-
cpe:2.3:a:gradle:enterprise:2021.3