Unrestricted HTTP Header Reflection in Gradle Enterprise Products
CVE-2020-15768

7.5HIGH

Key Information:

Vendor

Gradle

Status
Enterprise Cache Node
Enterprise
Vendor
CVE Published:
18 September 2020

What is CVE-2020-15768?

A significant security flaw has been detected in Gradle Enterprise, which affects versions from 2017.3 to 2020.2.4 and Gradle Enterprise Build Cache Node versions 1.0 to 9.2. This vulnerability allows remote attackers to exploit unrestricted HTTP header reflection. By leveraging this issue alongside a separate cross-site scripting (XSS) vulnerability, an attacker could potentially gain access to authentication cookies. This scenario could result in the attacker impersonating a legitimate user, thereby compromising the integrity and security of user sessions. Key application request paths susceptible to this exploit include /info/headers, /cache-info/headers, /admin-info/headers, and /distribution-broker-info/headers for Gradle Enterprise, while the Build Cache Node impacts /cache-node-info/headers.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://github.com/gradle/gradle/security/advisories
x_refsource_MISC
https://security.gradle.com/advisory/CVE-2020-15768
x_refsource_CONFIRM

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.