CVE-2020-7599

Published: Mar 30, 2020

Modified: Aug 4, 2024

PUBLISHED

Description

All versions of com.gradle.plugin-publish before 0.11.0 are vulnerable to Insertion of Sensitive Information into Log File. When a plugin author publishes a Gradle plugin while running Gradle with the --info log level flag, the Gradle Logger logs an AWS pre-signed URL. If this build log is publicly visible (as it is in many popular public CI systems like TravisCI) this AWS pre-signed URL would allow a malicious actor to replace a recently uploaded plugin with their own.

Vendor	Product	Versions
n/a	com.gradle.plugin-publish	affected `all versions before 0.11.0`

References

https://snyk.io/vuln/SNYK-JAVA-COMGRADLEPLUGINPUBLISH-559866

x_refsource_MISC

https://blog.gradle.org/plugin-portal-update

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2020-7599

Description

Affected Products

References