An issue was discovered in Gradle Enterprise 2018.5. An attacker can potentially make repeated attempts to guess a local user's password, due to lack of lock-out after excessive failed logins.

All advisories**Local user login is susceptible to brute force password guessing**

**Affected product(s)**

*   Gradle Enterprise 2018.5

**Severity**

Moderate

**Published at**

2020-09-15

**Related CVE ID(s)**

*   CVE-2020-15770

**Description**

An attacker can potentially make repeated attempts to guess a local user's password, due to lack of lock-out after excessive failed logins.

**Mitigation**

Upgrade to Gradle Enterprise 2020.2.5.

**Credit**

This issue was responsibly reported by Compass Security.

CVE-2020-15770: Gradle Enterprise - Security Advisories

The HTTP client in Gradle before 5.6 sends authentication credentials originally destined for the configured host. If that host returns a 30x redirect, Gradle also sends those credentials to all subsequent hosts that the request redirects to. This is similar to CVE-2018-1000007.

This issue is to discuss CVE-2019-15052 and answer any questions that people may have.

Our official advisory can be found here: GHSA-4cwg-f7qc-6r95

**CVSSv3 Score**

We believe that this vulnerability will receive the same CVSSv3 score as the cURL vulnerability listed below.

As such, we have provided the following _estimated_ scoring:

**CVSS v3.0 Severity and Metrics:**

**Base Score:** 9.8 CRITICAL  
**Vector:** AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H  
**Impact Score:** 5.9  
**Exploitability Score:** 3.9

**Additional context**

cURL had this same vulnerability which was fixed in cURL v7.58.0  
Their disclosure can be found here:  
https://curl.haxx.se/docs/CVE-2018-1000007.html

**Original Report**

Below is the contents of the original vulnerability disclosure reported by @uriahcarpenter.

**Expected Behavior**

If basic authentication is configured for a Maven repository credentials are _only_ sent to the hostname configured.

**Current Behavior**

If the Maven repository responds with an HTTP redirection response (e.g. 302/304/307) to a different hostname Gradle _includes_ the basic authorization header. Some may consider this an information disclosure security issue.

**Context**

Some Maven repositories may perform HTTP redirects to serve large-binaries from via a CDN; an example of this is Artifactory's Direct Cloud Storage Download feature. This Artifactory feature ultimately uses a S3 signed URL as a HTTP redirect. However the S3 request fails because there is authorization in the URL _and_ Gradle sends the _unrelated_ basic authentication header.

**Steps to Reproduce**

I have created a full working example of this issue:

*   Clone https://github.com/Widen/gradle-s3
*   Execute ./gradlew classes --no-daemon --refresh-dependencies
*   Build will fail with a 400 response error

The underlaying cause of the 400 error is slightly difficult to diagnose because Gradle does not output the text of the response, so I'm including screen shots of the request and responses using a local HTTP proxy.

Request and response to my _fake_ Maven repository:

Request and response to S3 URL. Note the actual _bug_ is that the header Authorization = Basic Zm9vOmJheg== is being sent to the server gradle-s3-auth-issue.s3.amazonaws.com.

**Environment**

Sample project is configured to use the latest Gradle release; 5.5.1.

Please feel free to leave any questions you may have below.

Please report any new security vulnerabilities to security@gradle.com.

CVE-2019-15052: [DISCUSSION] CVE-2019-15052: Repository authentication sent to server of HTTP redirection response · Issue #10278 · gradle/gradle

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Labels

CVE

Issues related to public CVEs (security vuln reports)

**Comments**

 cowtowncoder changed the title Block yet another gadget type (CVE to be requested) Block yet another gadget type (CVE-2019-12814)

Jun 14, 2019

Fixed in 2.7, 2.8, 2.9, 2.10 and master branches for likely release in 2.9.9.1 and 2.10.0.

When can we expect a 2.9.9.1 release?

hilmarf, daniel-schel, victor7437, zageyiff, lbourdages, dannil, lbalmaceda, j-tim, jactor-rises, emmberk, and 37 more reacted with thumbs up emoji

This was referenced

Jun 22, 2019

I appreciate the hard work being done by the jackson-databind developers, but 3 days later, I have to repeat @antalindisguise's question again: Why isn't 2.9.9.1 released yet? Those of us who use the OWASP Dependency Check plugin in our projects now have failing builds because of CVE-2019-12814, without a proper remedy. I really don't like adding a suppression for a legitimate security issue. 😕

@volkert-fastned if it helps, you've had a legitimate security issue for ages already, you just didn't know about it until today. Plus, if you don't have JDOM then it would be a legitimate suppression,

@OrangeDog Thanks. I read it in the CVE description as well.

So when the following commands return no results, the project should be unaffected, correct?

    # Maven project
    mvn dependency:tree | grep -i jdom
    
    # Gradle project
    ./gradlew dependencies | grep -i jdom
    

> @OrangeDog Thanks. I read it in the CVE description as well.
> 
> So when the following commands return no results, the project should be unaffected, correct?
> 
>     # Maven project
>     mvn dependency:tree | grep -i jdom
>     
>     # Gradle project
>     ./gradlew dependencies | grep -i jdom
>     

Well you would also have to "enableDefaultTyping" (either globally or for a specific property :)

For me, the problem is that our pipeline checks for dependencies with known issues and abort the process if a problem is found. You can argue that the problem is in the previous versions, but if the problem is solved why not just release?

@mpbalmeida in general you cannot expect every dependency to release a fix as soon as a vulnerability is known. If your pipeline relies on that, then you need to make changes.

@volkert-fastned

> So when the following commands return no results, the project should be unaffected

What's on the classpath when your code runs is not simply the list of project dependencies. You need to audit your systems and be aware of what's happening.

We can manually trigger to rebuild, but I thought the problem was already solved because there were no open issues in 2.9.9.1 milestone

I don't know the details of how this issue was discovered or originally disclosed (insert grain of salt)  
But IMHO, It would be nice to release the fix before disclosing the vuln.

> @volkert-fastned
> 
> > So when the following commands return no results, the project should be unaffected
> 
> What's on the classpath when your code runs is not simply the list of project dependencies. You need to audit your systems and be aware of what's happening.

In the specific case of CVE-2019-12814, one of the prerequisites for being vulnerable (kind of a weird way to put it, but you know what I mean) is "the service has JDOM 1.x or 2.x jar **in the classpath**". Source: https://nvd.nist.gov/vuln/detail/CVE-2019-12814

By the way, it's kind of odd how an XML dependency such as JDOM would trigger a JSON-related vulnerability.

> @volkert-fastned if it helps, you've had a legitimate security issue for ages already, you just didn't know about it until today. Plus, if you don't have JDOM then it would be a legitimate suppression,

It is worth noting that JDOM2 comes as a dependency within the latest version of **Spring-Boot-Starter-Parent 2.1.6**  
https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-parent/2.1.6.RELEASE  
_(edited to reflect a mistake i made by saying spring-boot when I meant spring-boot-starter-parent)  
Thanks @benjamin Asbach for making me recheck and finding my mistake_

If you run the cmd:  
mvn help:effective-pom -Doutput=effective.xml  
and then search for JDOM you can see it's there at version <jdom2.version>2.0.6</jdom2.version>

Really hoping version 2.9.9.1 is released soon, this is causing me head aches.

> It is worth noting that JDOM2 comes as a dependency within the latest version of SpringBoot 2.1.6
> 
> If you run the cmd:  
> mvn help:effective-pom -Doutput=effective.xml  
> and then search for JDOM you can see it's there at version <jdom2.version>2.0.6</jdom2.version>
> 
> Really hoping version 2.9.9.1 is released soon, this is causing me head aches.

Really??? I thought mvn dependency:tree also showed all **transitive** dependencies. Yet another thing you can't rely on. 😕

Thanks for sharing this method, @andr3w-hilton.

And again, not to be ungrateful to the developers, but what's holding up the 2.9.9.1 release right now? Is it undergoing a final rigorous code audit and/or pentest? Because in that case, I completely understand and support the current holdup.

@volkert-fastned @cowtowncoder has simply taken a break lol - nothing more nothing less.  
Perhaps assist by having a PR ready for when he gets back?

Well, to be fair, everybody deserves a good vacation every now and then. 🙂

But I don't think any PRs are necessary anymore. The actual issues have already been resolved. It's just that we're still waiting for the 2.9.9.1 release that contains these fixes: https://github.com/FasterXML/jackson-databind/milestone/97

By the way, It's somewhat worrisome how such a crucial library like jackson-databind apparently has so few developers maintaining it, that the vacation of one person would block a release with an important security fix. One obviously can't blame any individual developers or maintainers for that. This is a problem that needs to be solved at an organizational level.

xD

Not really, usually all deploys are held monitored and approved by a single person?

There's a few maintainers hey, I know Tatu is getting ready for 2.10 and doing the min jdk8 impl, i'm doing the jpms impl, I know a few others are doing a few bits as well.  
Also what organization do you believe is running this project? :)

Naw, the way it is now is correct, the single point for final approve and deployment definitely is correct. and yea I think he is allowed a break for as long as needed. Rather wait patiently and get a refreshed mind doing it. There also seems to be people complaining about dropping jdk 6 support (but 2.10 drops jdk 7 support), so I believe there's that consideration for 2.9.10 as well for some security fixes (although the jdk has more holes than any library), so there's a lot going on

> all deploys are held monitored and approved by a single person?

If (hopefully not) the one person who can do that gets hit by a car while on holiday, does that mean that there will never be another release of Jackson? There needs to be multiple people who can do it, both to deal with that situation, and with this one.

> I thought mvn dependency:tree also showed all transitive dependencies.

It does. @andr3w-hilton is mistaken and looking at the <dependencyManagement> section, not the <dependencies>.

This was referenced

Feb 4, 2022

This was referenced

Mar 11, 2022

This was referenced

Mar 12, 2022

This was referenced

Mar 31, 2022

This was referenced

May 10, 2022

This was referenced

Apr 28, 2023

This was referenced

Aug 29, 2023

This was referenced

Sep 7, 2023

Labels

CVE

Issues related to public CVEs (security vuln reports)

CVE-2019-12814: Block yet another gadget type (jdom, CVE-2019-12814) · Issue #2341 · FasterXML/jackson-databind

In Gradle Enterprise before 2018.5.2, Build Cache Nodes would reflect the configured password back when viewing the HTML page source of the settings page.

**Gradle Enterprise 2018.5**

Gradle Enterprise 2018.5 provides a powerful new tool for debugging build cache misses: identifying the changed input files that led to a cache miss. This makes it easier than ever before to reduce build times by optimizing your build cache usage.

New access control features allow individual user logins and role based access. Users and roles can be created and managed within Gradle Enterprise or sourced from an existing LDAP service or SAML 2.0 identity provider, allowing users to log in with their existing organization credentials.

Read on for the details of these and other new features and improvements.

Use version 2.1 of the build scan plugin for optimal usage of Gradle Enterprise.

**Highlights**

**Identify changed files causing build cache misses**

Previously, the task inputs comparison determined and visualized which _properties_ of a task changed between two builds. Now, it also determines and visualizes which _individual input files_ of a task changed between builds, making debugging unexpected build cache misses significantly easier.

This is especially helpful for tracking down build cache misses caused by timestamps or other always-changing values being written to files during the build.

A new tutorial is available explaining how to use this powerful new functionality.

This feature requires enabling capture of extra data by the build scan plugin, which results in Gradle Enterprise using more disk space to store build scans. It is strongly recommended to read the upgrade notes related to this feature for guidance on how enable it.

Task input files comparison requires Gradle 5.0+ and build scan plugin 2.1+.

**Log in with your organization credentials**

Gradle Enterprise now supports individual user login and access control. User accounts and permissions can be created and managed locally in Gradle Enterprise, or can be sourced from an LDAP service, including Active Directory, or a SAML 2.0 identity provider.

For information on configuring the new access control capabilities, please see the Gradle Enterprise Admin Manual.

With the addition of much more powerful access control, the previous shared username and password access controls have been removed. If you were using this, ensure you read the upgrade notes related to this feature for how to replace that functionality.

**Assess impact of inputs snapshotting on build time**

The task inspector in the timeline view now indicates how much time was spent “snapshotting” inputs as part of the task execution.

The term “snapshotting” refers to Gradle’s inspection of the task’s inputs in order to determine whether the task is UP-TO-DATE or whether its outputs can be retrieved from a build cache instead of executing it.

In some pathological cases, this can take a non-negligible amount of time. This can occur when there are _many_ input files to a task or when disk access is particularly slow. This is usually noticed as a task that is UP-TO-DATE is taking a surprising amount of time. The indication of how much time was spent performing snapshotting now makes it possible to understand whether this was the cause of a slow task.

Inputs snapshotting build time requires Gradle 5.0+ and build scan plugin 2.1+.

**Reduced disk space usage and improved scan viewing performance**

This release contains internal restructuring that allows more effectively freeing the space that was used by build scans that have been deleted, which reduces overall disk usage. This change also improves the efficiency of build scan viewing.

The restructuring happens in the background during the normal operation of Gradle Enterprise after upgrading. It is strongly recommended to read the upgrade notes related to this change for information on the short term increased disk usage requirements.

**Upgrade notes**

If upgrading from a version of Gradle Enterprise prior to 2018.4, be sure to also consult the release notes for all interim versions.

**Breaking changes to access control**

The new individualized access control completely replaces the previous single shared credentials based access control. If you were using the previous access control mechanism, extra configuration is needed after upgrading.

You can emulate the previous behavior by creating a single account with the previously used shared credentials. Alternatively, you may wish to use this opportunity to create multiple user accounts or connect to an existing LDAP service or SAML 2.0 identity provider.

Please see the Gradle Enterprise Admin Manual for guidance on configuring access control.

**Disk space required for database restructure**

This release includes a significant database restructure, in order to provide the reduced disk usage and performance improvements mentioned in the highlights. Migrating to the new structure happens transparently and does not require additional downtime.

While Gradle Enterprise is migrating to the new structure it requires extra disk space. In some cases it may require nearly as much free space as is currently in use. If there is not sufficient free space to perform the migration, the migration _will not be attempted_. Instead, in the footer of the application you will see a graphic that looks like the following:

After starting Gradle Enterprise 2018.5, please check the footer of the application. If you do see the graphic above, please get in contact with Gradle Enterprise technical support to resolve the issue.

The background migration may take several hours. For installations with millions of build scans, it may take a day or two. There should be no noticeable performance degradation while the migration occurs.

**Impact of enabling capture of task input files**

The new ability to identify individual files that have changed with task inputs comparison requires _opting in_ to capture of task input files with the build scan plugin. When this capture is enabled, the build scan information sent to the server includes the path to and a hash of each file used during the build. The extra information must be stored in Gradle Enterprise, increasing its disk usage.

It is recommended to enable capture of task input files for all builds and to monitor server disk usage for a week after enabling to ensure that your Gradle Enterprise installation has adequate storage capacity for this extra data.

**Build scan plugin 2.x requires Gradle 5.0 or later**

The minimum supported Gradle version for the 2.x line of the build scan plugin has been raised from Gradle 2.0 to Gradle 5.0. This has allowed significant optimizations and simplifications within the build scan plugin that will facilitate faster development of future build scan features.

Previously, it was recommended to upgrade to the latest build scan plugin when upgrading Gradle Enterprise. However, if you have not yet upgraded to Gradle 5.0 you cannot upgrade to build scan plugin 2.x until you do. Instead, you should continue to use build scan plugin 1.16 which is compatible with Gradle Enterprise 2018.5.

If you have not yet upgraded to Gradle 5.0, please consider doing so in order to get the most out of Gradle Enterprise.

**Changes**

*   \[FIX\] Retried redundant scan uploads due to network failures may cause ingestion failures
*   \[FIX\] Failed remote store build cache requests are not prominently displayed as errors
*   \[FIX\] LDAP groups used for role membership cannot use member attribute other than 'member'
*   \[FIX\] Build cache credentials are stored unencrypted at rest
*   \[FIX\] Build cache node displays empty page on error

*   \[FIX\] Daily maintenance may only partially complete for new installations
*   \[FIX\] Disk space may be only partially reclaimed when many builds are processed in a day
*   \[FIX\] Memory usage may spike during daily maintenance
*   \[FIX\] Build cache credentials are reflected in node settings page

*   \[FIX\] Cannot provide SAML metadata when metadata URL requires authentication
*   \[FIX\] Cannot search for users in admin section by other fields such as first name
*   \[FIX\] Very large build caches may require increased heap size
*   \[FIX\] Temporary database failures may cause build cache process to run out of memory
*   \[FIX\] Backup process requires much more free disk space than the backup archive size

*   \[FEATURE\] Identify changed input files with task inputs comparison
*   \[FEATURE\] Individual user accounts and access control
*   \[FEATURE\] Source user information from an LDAP service
*   \[FEATURE\] Source user information from a SAML 2.0 identity provider
*   \[FEATURE\] Assess impact of inputs snapshotting on build time
*   \[FIX\] Disk space reclaimed by deleting old build scans is not returned to the operating system
*   \[FIX\] Ingesting many large build scans may consume excess disk usage
*   \[FIX\] Build deprecated usage details are not shown if no owning plugin is known
*   \[FIX\] Top left logo does not consistently link to Gradle Enterprise home page
*   \[FIX\] Build cache key is sometimes displayed in upper case

CVE-2019-11403: 2018.5

In Gradle Enterprise before 2018.5.3, Build Cache Nodes did not store the credentials at rest in an encrypted format.

CVE-2019-11402: 2018.5

Gradle versions from 1.4 to 5.3.1 use an insecure HTTP URL to download dependencies when the built-in JavaScript or CoffeeScript Gradle plugins are used. Dependency artifacts could have been maliciously compromised by a MITM attack against the ajax.googleapis.com web site.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tag

#gradle