Vulnerability Name:

CVE-2021-29428 (CCN-200166)

Assigned:2021-04-09
Published:2021-04-09
Updated:2021-10-20
Summary:In Gradle before version 7.0, on Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. Gradle builds could be vulnerable to a local privilege escalation from an attacker quickly deleting and recreating files in the system temporary directory. This vulnerability impacted builds using precompiled script plugins written in Kotlin DSL and tests for Gradle plugins written using ProjectBuilder or TestKit. If you are on Windows or modern versions of macOS, you are not vulnerable. If you are on a Unix-like operating system with the "sticky" bit set on your system temporary directory, you are not vulnerable. The problem has been patched and released with Gradle 7.0. As a workaround, on Unix-like operating systems, ensure that the "sticky" bit is set. This only allows the original user (or root) to delete a file. If you are unable to change the permissions of the system temporary directory, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only. For additional details refer to the referenced GitHub Security Advisory.
CVSS v3 Severity:7.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
7.0 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
8.8 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
7.9 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:4.4 Medium (CVSS v2 Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
6.8 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-378
CWE-379
Vulnerability Consequences:Gain Privileges
References:Source: MITRE
Type: CNA
CVE-2021-29428

Source: MISC
Type: Release Notes, Vendor Advisory
https://docs.gradle.org/7.0/release-notes.html#security-advisories

Source: XF
Type: UNKNOWN
gradle-cve202129428-priv-esc(200166)

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/gradle/gradle/pull/15240

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/gradle/gradle/pull/15654

Source: CCN
Type: Gradle GIT Repository
Local privilege escalation through system temporary directory

Source: CONFIRM
Type: Exploit, Third Party Advisory
https://github.com/gradle/gradle/security/advisories/GHSA-89qm-pxvm-p336

Source: CCN
Type: Gradle Web site
Gradle

Vulnerable Configuration:Configuration 1:
  • cpe:/a:gradle:gradle:*:*:*:*:*:*:*:* (Version < 7.0)

    • Configuration 2:
  • cpe:/a:quarkus:quarkus:*:*:*:*:*:*:*:* (Version <= 2.2.3)

    • Configuration CCN 1:
  • cpe:/a:gradle:gradle:2.12:*:*:*:*:*:*:*
  • OR cpe:/a:gradle:gradle:1.4:-:*:*:*:*:*:*
  • OR cpe:/a:gradle:gradle:5.6.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    gradle gradle *
    quarkus quarkus *
    gradle gradle 2.12
    gradle gradle 1.4 -
    gradle gradle 5.6.2