CVE-2021-29427
Vulnerability from cvelistv5
Published
2021-04-13 17:55
Modified
2024-08-03 22:02
Summary
Repository content filters do not work in Settings pluginManagement
Impacted products
gradlegradle
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T22:02:51.882Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.gradle.org/7.0/release-notes.html#security-advisories"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/gradle/gradle/security/advisories/GHSA-jvmj-rh6q-x395"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "gradle",
          "vendor": "gradle",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 5.1, \u003c= 6.8.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning. Repository content filtering is a security control Gradle introduced to help users specify what repositories are used to resolve specific dependencies. This feature was introduced in the wake of the \"A Confusing Dependency\" blog post. In some cases, Gradle may ignore content filters and search all repositories for dependencies. This only occurs when repository content filtering is used from within a `pluginManagement` block in a settings file. This may change how dependencies are resolved for Gradle plugins and build scripts. For builds that are vulnerable, there are two risks: 1) Information disclosure: Gradle could make dependency requests to repositories outside your organization and leak internal package identifiers. 2) Dependency poisoning/Dependency confusion: Gradle could download a malicious binary from a repository outside your organization due to name squatting. For a full example and more details refer to the referenced GitHub Security Advisory. The problem has been patched and released with Gradle 7.0. Users relying on this feature should upgrade their build as soon as possible. As a workaround, users may use a company repository which has the right rules for fetching packages from public repositories, or use project level repository content filtering, inside `buildscript.repositories`. This option is available since Gradle 5.1 when the feature was introduced."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-829",
              "description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-04-13T17:55:24",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.gradle.org/7.0/release-notes.html#security-advisories"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/gradle/gradle/security/advisories/GHSA-jvmj-rh6q-x395"
        }
      ],
      "source": {
        "advisory": "GHSA-jvmj-rh6q-x395",
        "discovery": "UNKNOWN"
      },
      "title": "Repository content filters do not work in Settings pluginManagement",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-29427",
          "STATE": "PUBLIC",
          "TITLE": "Repository content filters do not work in Settings pluginManagement"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "gradle",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e= 5.1, \u003c= 6.8.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "gradle"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning. Repository content filtering is a security control Gradle introduced to help users specify what repositories are used to resolve specific dependencies. This feature was introduced in the wake of the \"A Confusing Dependency\" blog post. In some cases, Gradle may ignore content filters and search all repositories for dependencies. This only occurs when repository content filtering is used from within a `pluginManagement` block in a settings file. This may change how dependencies are resolved for Gradle plugins and build scripts. For builds that are vulnerable, there are two risks: 1) Information disclosure: Gradle could make dependency requests to repositories outside your organization and leak internal package identifiers. 2) Dependency poisoning/Dependency confusion: Gradle could download a malicious binary from a repository outside your organization due to name squatting. For a full example and more details refer to the referenced GitHub Security Advisory. The problem has been patched and released with Gradle 7.0. Users relying on this feature should upgrade their build as soon as possible. As a workaround, users may use a company repository which has the right rules for fetching packages from public repositories, or use project level repository content filtering, inside `buildscript.repositories`. This option is available since Gradle 5.1 when the feature was introduced."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://docs.gradle.org/7.0/release-notes.html#security-advisories",
              "refsource": "MISC",
              "url": "https://docs.gradle.org/7.0/release-notes.html#security-advisories"
            },
            {
              "name": "https://github.com/gradle/gradle/security/advisories/GHSA-jvmj-rh6q-x395",
              "refsource": "CONFIRM",
              "url": "https://github.com/gradle/gradle/security/advisories/GHSA-jvmj-rh6q-x395"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-jvmj-rh6q-x395",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-29427",
    "datePublished": "2021-04-13T17:55:24",
    "dateReserved": "2021-03-30T00:00:00",
    "dateUpdated": "2024-08-03T22:02:51.882Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-29427\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2021-04-13T20:15:21.703\",\"lastModified\":\"2021-10-20T14:32:48.897\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning. Repository content filtering is a security control Gradle introduced to help users specify what repositories are used to resolve specific dependencies. This feature was introduced in the wake of the \\\"A Confusing Dependency\\\" blog post. In some cases, Gradle may ignore content filters and search all repositories for dependencies. This only occurs when repository content filtering is used from within a `pluginManagement` block in a settings file. This may change how dependencies are resolved for Gradle plugins and build scripts. For builds that are vulnerable, there are two risks: 1) Information disclosure: Gradle could make dependency requests to repositories outside your organization and leak internal package identifiers. 2) Dependency poisoning/Dependency confusion: Gradle could download a malicious binary from a repository outside your organization due to name squatting. For a full example and more details refer to the referenced GitHub Security Advisory. The problem has been patched and released with Gradle 7.0. Users relying on this feature should upgrade their build as soon as possible. As a workaround, users may use a company repository which has the right rules for fetching packages from public repositories, or use project level repository content filtering, inside `buildscript.repositories`. This option is available since Gradle 5.1 when the feature was introduced.\"},{\"lang\":\"es\",\"value\":\"En Gradle desde versi\u00f3n 5.1 y anterior a la versi\u00f3n 7.0, se presenta una vulnerabilidad que puede conducir a la divulgaci\u00f3n de informaci\u00f3n y/o envenenamiento por dependencia.\u0026#xa0;El filtrado de contenido del repositorio es un control de seguridad que Gradle introdujo para ayudar a los usuarios a especificar qu\u00e9 repositorios se usan para resolver dependencias espec\u00edficas.\u0026#xa0;Esta funci\u00f3n se introdujo a ra\u00edz de la publicaci\u00f3n de blog \\\"A Confusing Dependency\\\".\u0026#xa0;En algunos casos, Gradle puede ignorar los filtros de contenido y buscar dependencias en todos los repositorios.\u0026#xa0;Esto solo ocurre cuando el filtrado de contenido del repositorio se usa dentro de un bloque `pluginManagement` en un archivo de configuraci\u00f3n.\u0026#xa0;Esto puede cambiar la forma en que se resuelven las dependencias para los plugins de Gradle y los scripts de compilaci\u00f3n.\u0026#xa0;Para las compilaciones que son vulnerables, existen dos riesgos: 1) Divulgaci\u00f3n de informaci\u00f3n:\u0026#xa0;Gradle podr\u00eda realizar peticiones de dependencia a repositorios fuera de su organizaci\u00f3n y filtrar identificadores de paquetes internos.\u0026#xa0;2) Envenenamiento por Dependencia / Confusi\u00f3n de Dependencia: Gradle podr\u00eda descargar un binario malicioso de un repositorio fuera de su organizaci\u00f3n debido a la ocupaci\u00f3n ilegal de nombres.\u0026#xa0;Para obtener un ejemplo completo y m\u00e1s detalles, consulte el Aviso de seguridad de GitHub al que se hace referencia.\u0026#xa0;El problema se ha corregido y publicado con Gradle versi\u00f3n 7.0.\u0026#xa0;Los usuarios que conf\u00edan en esta funci\u00f3n deben actualizar su compilaci\u00f3n lo antes posible.\u0026#xa0;Como soluci\u00f3n alternativa, los usuarios pueden utilizar un repositorio de la empresa que tenga las reglas adecuadas para recuperar paquetes de repositorios p\u00fablicos, o utilizar el filtrado de contenido del repositorio a nivel de proyecto, dentro de `buildscript.repositories`.\u0026#xa0;Esta opci\u00f3n est\u00e1 disponible desde Gradle versi\u00f3n 5.1 cuando se introdujo la funci\u00f3n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":7.2,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":8.0,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":1.3,\"impactScore\":6.0}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:P/I:P/A:P\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\",\"baseScore\":6.0},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":6.8,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-829\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gradle:gradle:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.1\",\"versionEndExcluding\":\"7.0\",\"matchCriteriaId\":\"76D1A1A2-F95B-481D-8EAE-9E54EF5B1F1B\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.2.3\",\"matchCriteriaId\":\"EF712520-1CFD-473A-B3F5-3CDDFE9C2C9A\"}]}]}],\"references\":[{\"url\":\"https://docs.gradle.org/7.0/release-notes.html#security-advisories\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/gradle/gradle/security/advisories/GHSA-jvmj-rh6q-x395\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...
  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.