CyberSec.Space Logo
Back to CVE Browser

CVE-2019-15052

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.0360%
EPSS Percentile3.43th
PublishedAug 14, 2019
Last ModifiedNov 21, 2024

Vulnerability Description

The HTTP client in Gradle before 5.6 sends authentication credentials originally destined for the configured host. If that host returns a 30x redirect, Gradle also sends those credentials to all subsequent hosts that the request redirects to. This is similar to CVE-2018-1000007.

Affected Platforms (CPE)

πŸ“¦
Gradle

Gradle

< 5.6

References & Advisories

πŸ”— https://github.com/gradle/gradle/issues/10278
πŸ”— https://github.com/gradle/gradle/pull/10176
πŸ”— https://github.com/gradle/gradle/security/advisories/GHSA-4cwg-f7qc-6r95
πŸ”— https://github.com/gradle/gradle/issues/10278
πŸ”— https://github.com/gradle/gradle/pull/10176
πŸ”— https://github.com/gradle/gradle/security/advisories/GHSA-4cwg-f7qc-6r95

Related Vulnerabilities

CVE-2020-119869.8

To be able to analyze gradle projects, the build scripts need to be executed. Apache NetBeans follows this pattern. This causes th...

CVE-2019-114039.8

In Gradle Enterprise before 2018.5.2, Build Cache Nodes would reflect the configured password back when viewing the HTML page sour...

CVE-2019-114029.8

In Gradle Enterprise before 2018.5.3, Build Cache Nodes did not store the credentials at rest in an encrypted format.

CVE-2021-415899.8

In Gradle Enterprise before 2021.3 (and Enterprise Build Cache Node before 10.0), there is potential cache poisoning and remote co...