CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2019-15052
https://notcve.org/view.php?id=CVE-2019-15052
The HTTP client in Gradle before 5.6 sends authentication credentials originally destined for the configured host. If that host returns a 30x redirect, Gradle also sends those credentials to all subsequent hosts that the request redirects to. This is similar to CVE-2018-1000007. El cliente HTTP en Gradle en versiones anteriores a la 5.6 envía las credenciales de autenticación destinadas originalmente para el host configurado. Si ese host devuelve una redirección 30x, Gradle también envía esas credenciales a todos los hosts posteriores a los que redirige la petición. • https://github.com/gradle/gradle/issues/10278 https://github.com/gradle/gradle/pull/10176 https://github.com/gradle/gradle/security/advisories/GHSA-4cwg-f7qc-6r95 • CWE-522: Insufficiently Protected Credentials •
CVSS: 5.9EPSS: 0%CPEs: 4EXPL: 0CVE-2019-11065
https://notcve.org/view.php?id=CVE-2019-11065
Gradle versions from 1.4 to 5.3.1 use an insecure HTTP URL to download dependencies when the built-in JavaScript or CoffeeScript Gradle plugins are used. Dependency artifacts could have been maliciously compromised by a MITM attack against the ajax.googleapis.com web site. Gradle versiones desde la 1.4 hasta la 5.3.1 utilizan una HTTP URL insegura, para descargar dependencias cuando se utilizan los plugins JavaScript o CoffeeScript Gradle incorporados. Los artefactos de dependencia podrían haber sido maliciosamente comprometidos por un ataque del MITM contra el sitio web ajax.googleapis.com. • https://github.com/gradle/gradle/pull/8927 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WVXOXNLAYRGPKAZV63PYNV3HF27JW2MW https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43P7SVDJOG6OUDVFR4ZIDITZLNHPGTO https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YQ5CGOV5QVQCSPGE3WRZDKUGIXLHSZDR •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-9843
https://notcve.org/view.php?id=CVE-2019-9843
In DiffPlug Spotless before 1.20.0 (library and Maven plugin) and before 3.20.0 (Gradle plugin), the XML parser would resolve external entities over both HTTP and HTTPS and didn't respect the resolveExternalEntities setting. For example, this allows disclosure of file contents to a MITM attacker if a victim performs a spotlessApply operation on an untrusted XML file. En DiffPlug Spotless en versiones anteriores a 1.20.0 (library and Maven plugin) y anteriores a 3.20.0 (Gradle plugin), el analizador XML resolvería las entidades externas a través de HTTP y HTTPS y no respetaría la configuración de resolución de entidades externas. Por ejemplo, esto permite la divulgación del contenido del archivo a un atacante MITM si una víctima realiza una operación spotlessApply en un archivo XML que no es de confianza. • https://github.com/diffplug/spotless/blob/master/plugin-gradle/CHANGES.md#version-3200---march-11th-2018-javadoc-jcenter https://github.com/diffplug/spotless/blob/master/plugin-maven/CHANGES.md#version-1200---march-14th-2018-javadoc-jcenter https://github.com/diffplug/spotless/issues/358 https://github.com/diffplug/spotless/pull/369 https://lists.apache.org/thread.html/r7406e297228c42deeecdd12a576e39d63073faebf14b027b7608fdfd%40%3Cissues.iceberg.apache.org%3E • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 1CVE-2016-6199
https://notcve.org/view.php?id=CVE-2016-6199
ObjectSocketWrapper.java in Gradle 2.12 allows remote attackers to execute arbitrary code via a crafted serialized object. ObjectSocketWrapper.java en Gradle 2.12 permite a atacantes remotos ejecutar código arbitrario a través de un objeto serializado manipulado. • https://discuss.gradle.org/t/a-security-issue-about-gradle-rce/17726 https://philwantsfish.github.io/security/java-deserialization-github • CWE-502: Deserialization of Untrusted Data •