8.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:S/C:C/I:C/A:C
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
0.013 Low
EPSS
Percentile
86.0%
A flaw was found in Gradle, which allows a remote, authenticated attacker to execute arbitrary code on the system caused by a flaw in start and gradlew. By sending specially crafted environment variables, an attacker can execute arbitrary code on the system.
CI/CD systems using the Gradle build tool
- You are not vulnerable if untrusted users are unable to change environment variables for the user that executes gradlew.
- If you are unable to upgrade to Gradle 7.2, you can generate a new gradlew script with Gradle 7.2 and use it for older versions of Gradle.
Applications using start scripts generated by Gradle
- You are not vulnerable if untrusted users are unable to change environment variables for the user that executes the start script.
- If you are unsure, the vulnerable start script could be manually patched to remove the use of eval or the use of environment variables that affect the application's command-line.
- If the application is simple enough, you may be able to avoid the use of the start scripts by running the application directly with the Java command.
8.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:S/C:C/I:C/A:C
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
0.013 Low
EPSS
Percentile
86.0%