Critical Severity Vulnerability
This vulnerability has been rated as Critical severity. Immediate action is recommended.
CVE-2019-15052
Critical
Low
Medium
High
Critical
9.8
CVSS Score
Vulnerability Description
The HTTP client in Gradle before 5.6 sends authentication credentials originally destined for the configured host. If that host returns a 30x redirect, Gradle also sends those credentials to all subsequent hosts that the request redirects to. This is similar to CVE-2018-1000007.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
N
Attack Complexity
L
Privileges Required
N
User Interaction
N
Scope
U
Confidentiality
H
Integrity
H
Availability
H
Oracle
CPUJAN2025
Oracle Critical Patch Update Advisory - January 2025
Severity
Critical
Released
Jan 21, 2025
Restart Required
Security Update
References & Resources
-
https://github.com/gradle/gradle/issues/10278cve@mitre.org Exploit Issue Tracking Third Party Advisory
-
https://github.com/gradle/gradle/pull/10176cve@mitre.org Issue Tracking Patch Third Party Advisory
-
https://github.com/gradle/gradle/security/advisories/GHSA-4cwg-f7qc-6r95cve@mitre.org Exploit Third Party Advisory
-
https://github.com/gradle/gradle/issues/10278af854a3a-2127-422b-91ae-364da2661108 Exploit Issue Tracking Third Party Advisory
-
https://github.com/gradle/gradle/pull/10176af854a3a-2127-422b-91ae-364da2661108 Issue Tracking Patch Third Party Advisory
-
https://github.com/gradle/gradle/security/advisories/GHSA-4cwg-f7qc-6r95af854a3a-2127-422b-91ae-364da2661108 Exploit Third Party Advisory
Severity Details
9.8
out of 10.0
Critical
Weakness Type (CWE)
CWE-522
Insufficiently Protected Credentials
- Description
- The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
- Typical Severity
- High
- Abstraction Level
- Class
Key Information
- Published Date
- August 14, 2019
