Filtered by vendor Gradle Subscriptions
Total 47 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2020-11979 5 Apache, Fedoraproject, Gradle and 2 more 38 Ant, Fedora, Gradle and 35 more 2024-11-21 7.5 High
As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.
CVE-2019-16370 1 Gradle 1 Gradle 2024-11-21 5.9 Medium
The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.
CVE-2019-15052 1 Gradle 1 Gradle 2024-11-21 9.8 Critical
The HTTP client in Gradle before 5.6 sends authentication credentials originally destined for the configured host. If that host returns a 30x redirect, Gradle also sends those credentials to all subsequent hosts that the request redirects to. This is similar to CVE-2018-1000007.
CVE-2019-11403 1 Gradle 2 Build Cache Node, Enterprise 2024-11-21 9.8 Critical
In Gradle Enterprise before 2018.5.2, Build Cache Nodes would reflect the configured password back when viewing the HTML page source of the settings page.
CVE-2019-11402 1 Gradle 1 Enterprise 2024-11-21 9.8 Critical
In Gradle Enterprise before 2018.5.3, Build Cache Nodes did not store the credentials at rest in an encrypted format.
CVE-2019-11065 2 Fedoraproject, Gradle 2 Fedora, Gradle 2024-11-21 5.9 Medium
Gradle versions from 1.4 to 5.3.1 use an insecure HTTP URL to download dependencies when the built-in JavaScript or CoffeeScript Gradle plugins are used. Dependency artifacts could have been maliciously compromised by a MITM attack against the ajax.googleapis.com web site.
CVE-2016-6199 1 Gradle 1 Gradle 2024-11-21 N/A
ObjectSocketWrapper.java in Gradle 2.12 allows remote attackers to execute arbitrary code via a crafted serialized object.