We found results for “”
CVE-2020-7599
Good to know:
Date: April 2, 2020
All versions of com.gradle.plugin-publish before 0.11.0 are vulnerable to Insertion of Sensitive Information into Log File. When a plugin author publishes a Gradle plugin while running Gradle with the --info log level flag, the Gradle Logger logs an AWS pre-signed URL. If this build log is publicly visible (as it is in many popular public CI systems like TravisCI) this AWS pre-signed URL would allow a malicious actor to replace a recently uploaded plugin with their own.
Language: Java
Severity Score
Severity Score
Weakness Type (CWE)
Information Exposure Through Log Files
CWE-532Top Fix
Upgrade Version
Upgrade to version com.gradle.plugin-publish:com.gradle.plugin-publish.gradle.plugin:0.11.0;com.gradle.publish:plugin-publish-plugi:0.11.0
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | ADJACENT_NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | NONE |
User Interaction (UI): | NONE |
Scope (S): | UNCHANGED |
Confidentiality (C): | HIGH |
Integrity (I): | NONE |
Availability (A): | NONE |