CVSS: 7.5EPSS: 0%CPEs: 71EXPL: 0CVE-2020-11979 – ant: insecure temporary file
https://notcve.org/view.php?id=CVE-2020-11979
01 Oct 2020 — As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process. Como mitigación para CVE-2020-1945, Apache Ant versión 1.10.8, cambió los permisos de los archivos temporales que creó ... • https://github.com/gradle/gradle/security/advisories/GHSA-j45w-qrgf-25vm • CWE-377: Insecure Temporary File CWE-379: Creation of Temporary File in Directory with Insecure Permissions •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 1CVE-2019-16370
https://notcve.org/view.php?id=CVE-2019-16370
16 Sep 2019 — The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900. El plugin PGP signing en Gradle versiones anteriores a 6.0, se basa en el algoritmo SHA-1, lo que podría permitir a un atacante reemplazar un artefacto por otro diferente que tenga el mismo resumen de mensaje SHA-1, un problema relacionado con el CVE-2005-4900. • https://github.com/gradle/gradle/commit/425b2b7a50cd84106a77cdf1ab665c89c6b14d2f • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2019-15052
https://notcve.org/view.php?id=CVE-2019-15052
14 Aug 2019 — The HTTP client in Gradle before 5.6 sends authentication credentials originally destined for the configured host. If that host returns a 30x redirect, Gradle also sends those credentials to all subsequent hosts that the request redirects to. This is similar to CVE-2018-1000007. El cliente HTTP en Gradle en versiones anteriores a la 5.6 envía las credenciales de autenticación destinadas originalmente para el host configurado. Si ese host devuelve una redirección 30x, Gradle también envía esas credenciales a... • https://github.com/gradle/gradle/issues/10278 • CWE-522: Insufficiently Protected Credentials •
CVSS: 5.9EPSS: 0%CPEs: 4EXPL: 0CVE-2019-11065
https://notcve.org/view.php?id=CVE-2019-11065
09 Apr 2019 — Gradle versions from 1.4 to 5.3.1 use an insecure HTTP URL to download dependencies when the built-in JavaScript or CoffeeScript Gradle plugins are used. Dependency artifacts could have been maliciously compromised by a MITM attack against the ajax.googleapis.com web site. Gradle versiones desde la 1.4 hasta la 5.3.1 utilizan una HTTP URL insegura, para descargar dependencias cuando se utilizan los plugins JavaScript o CoffeeScript Gradle incorporados. Los artefactos de dependencia podrían haber sido malici... • https://github.com/gradle/gradle/pull/8927 •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-9843
https://notcve.org/view.php?id=CVE-2019-9843
15 Mar 2019 — In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn't respect the resolveExternalEntities setting. For example, this allows disclosure of file contents to a MITM attacker if a victim performs a spotlessApply operation on an untrusted XML file. En DiffPlug Spotless en versiones anteriores a 1.20.0 (library and Maven plugin) y anteriores a 3.20.0 (Gradle plugin), el analizador XML reso... • https://github.com/diffplug/spotless/blob/master/plugin-gradle/CHANGES.md#version-3200---march-11th-2018-javadoc-jcenter • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 9.8EPSS: 3%CPEs: 1EXPL: 1CVE-2016-6199
https://notcve.org/view.php?id=CVE-2016-6199
07 Feb 2017 — ObjectSocketWrapper.java in Gradle 2.12 allows remote attackers to execute arbitrary code via a crafted serialized object. ObjectSocketWrapper.java en Gradle 2.12 permite a atacantes remotos ejecutar código arbitrario a través de un objeto serializado manipulado. • https://discuss.gradle.org/t/a-security-issue-about-gradle-rce/17726 • CWE-502: Deserialization of Untrusted Data •