Insecure Cookie Handling Vulnerability in Gradle Enterprise by Gradle
CVE-2022-27225

6.5MEDIUM

Key Information:

Vendor: Gradle
Status: Enterprise
Vendor: CVE Published:; 16 March 2022

What is CVE-2022-27225?

Gradle Enterprise versions prior to 2021.4.3 exhibit a flaw in their cookie handling mechanism related to cleartext data transmission. The issue arises during the sign-in process, where Keycloak, used for identity management, sets browser cookies that provide session persistence. For compatibility with older versions of Safari, a duplicate cookie lacking the 'Secure' attribute is created. This allows the cookie to be transmitted over HTTP connections, making user login sessions vulnerable to session hijacking. An attacker impersonating the Gradle Enterprise host can exploit this by enticing users to click on HTTP links, potentially capturing their login credentials and session data.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://security.gradle.com/advisory/2022-03

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Mar 16, 2022
Vulnerability Reserved
Mar 16, 2022

JSON

Gradle

What is CVE-2022-27225?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.