Your submission was sent successfully! Close

CVE-2019-15052

Published: 14 August 2019

The HTTP client in Gradle before 5.6 sends authentication credentials originally destined for the configured host. If that host returns a 30x redirect, Gradle also sends those credentials to all subsequent hosts that the request redirects to. This is similar to CVE-2018-1000007.

Notes

AuthorNote
ebarretto
According to upstream advisory a backport of the fix (still unknown)
might be unfeasible.
Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
gradle
Launchpad, Ubuntu, Debian
bionic Needed

disco Ignored
(reached end-of-life)
eoan Ignored
(reached end-of-life)
focal Needed

groovy Ignored
(reached end-of-life)
hirsute Ignored
(reached end-of-life)
impish Ignored
(reached end-of-life)
jammy Needed

precise Does not exist

trusty Does not exist

upstream
Released (5.6)
xenial Ignored
(end of standard support, was needs-triage)