cnvd - cnvd-2022-25187

CNVD-2022-25187

Vulnerability from cnvd - Published: 2022-03-31

Title

Gradle存在未明漏洞（CNVD-2022-25187）

Description

Gradle是美国Gradle公司的一套基于JVM的项目构建工具，它支持maven、Ivy仓库等。 Gradle Enterprise 存在安全漏洞，该漏洞允许远程执行代码。该配置允许某些匿名访问管理和 API。目前没有详细的漏洞细节提供。

Severity

高

Patch Name

Gradle存在未明漏洞（CNVD-2022-25187）的补丁

Patch Description

Gradle是美国Gradle公司的一套基于JVM的项目构建工具，它支持maven、Ivy仓库等。 Gradle Enterprise 存在安全漏洞，该漏洞允许远程执行代码。该配置允许某些匿名访问管理和 API。目前没有详细的漏洞细节提供。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://security.gradle.com/advisory/2022-05

Reference

https://cxsecurity.com/cveshow/CVE-2022-27919/

Impacted products

Name
Gradle Gradle Enterprise >=2020.4，<=2021.4.3

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-27919"
    }
  },
  "description": "Gradle\u662f\u7f8e\u56fdGradle\u516c\u53f8\u7684\u4e00\u5957\u57fa\u4e8eJVM\u7684\u9879\u76ee\u6784\u5efa\u5de5\u5177\uff0c\u5b83\u652f\u6301maven\u3001Ivy\u4ed3\u5e93\u7b49\u3002\n\nGradle Enterprise \u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u5141\u8bb8\u8fdc\u7a0b\u6267\u884c\u4ee3\u7801\u3002\u8be5\u914d\u7f6e\u5141\u8bb8\u67d0\u4e9b\u533f\u540d\u8bbf\u95ee\u7ba1\u7406\u548c API\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://security.gradle.com/advisory/2022-05",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-25187",
  "openTime": "2022-03-31",
  "patchDescription": "Gradle\u662f\u7f8e\u56fdGradle\u516c\u53f8\u7684\u4e00\u5957\u57fa\u4e8eJVM\u7684\u9879\u76ee\u6784\u5efa\u5de5\u5177\uff0c\u5b83\u652f\u6301maven\u3001Ivy\u4ed3\u5e93\u7b49\u3002\r\n\r\nGradle Enterprise \u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u5141\u8bb8\u8fdc\u7a0b\u6267\u884c\u4ee3\u7801\u3002\u8be5\u914d\u7f6e\u5141\u8bb8\u67d0\u4e9b\u533f\u540d\u8bbf\u95ee\u7ba1\u7406\u548c API\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Gradle\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2022-25187\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Gradle Gradle Enterprise \u003e=2020.4\uff0c\u003c=2021.4.3"
  },
  "referenceLink": "https://cxsecurity.com/cveshow/CVE-2022-27919/",
  "serverity": "\u9ad8",
  "submitTime": "2022-03-29",
  "title": "Gradle\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2022-25187\uff09"
}

CVE-2022-27919 (GCVE-0-2022-27919)

Vulnerability from cvelistv5 – Published: 2022-03-25 19:55 – Updated: 2024-08-03 05:41

Summary

Gradle Enterprise before 2022.1 allows remote code execution if the installation process did not specify an initial configuration file. The configuration allows certain anonymous access to administration and an API.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

https://security.gradle.com/advisory/2022-05

x_refsource_MISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T05:41:11.043Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://security.gradle.com/advisory/2022-05"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Gradle Enterprise before 2022.1 allows remote code execution if the installation process did not specify an initial configuration file. The configuration allows certain anonymous access to administration and an API."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-03-25T19:55:17",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://security.gradle.com/advisory/2022-05"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2022-27919",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Gradle Enterprise before 2022.1 allows remote code execution if the installation process did not specify an initial configuration file. The configuration allows certain anonymous access to administration and an API."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://security.gradle.com/advisory/2022-05",
              "refsource": "MISC",
              "url": "https://security.gradle.com/advisory/2022-05"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-27919",
    "datePublished": "2022-03-25T19:55:17",
    "dateReserved": "2022-03-25T00:00:00",
    "dateUpdated": "2024-08-03T05:41:11.043Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2022-25187

CVE-2022-27919 (GCVE-0-2022-27919)

Tags

Sightings

Nomenclature