Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
redhatcveRedhat.comRH:CVE-2021-32751
HistorySep 18, 2023 - 7:24 a.m.

CVE-2021-32751

2023-09-1807:24:30
redhat.com
access.redhat.com
12
gradle
remote code execution
start scripts
arbitrary code
environment variables
vulnerability
patching
java command

8.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:S/C:C/I:C/A:C

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

0.013 Low

EPSS

Percentile

86.0%

JSON

A flaw was found in Gradle, which allows a remote, authenticated attacker to execute arbitrary code on the system caused by a flaw in start and gradlew. By sending specially crafted environment variables, an attacker can execute arbitrary code on the system.

Mitigation

CI/CD systems using the Gradle build tool
- You are not vulnerable if untrusted users are unable to change environment variables for the user that executes gradlew.
- If you are unable to upgrade to Gradle 7.2, you can generate a new gradlew script with Gradle 7.2 and use it for older versions of Gradle.

Applications using start scripts generated by Gradle
- You are not vulnerable if untrusted users are unable to change environment variables for the user that executes the start script.
- If you are unsure, the vulnerable start script could be manually patched to remove the use of eval or the use of environment variables that affect the application's command-line.
- If the application is simple enough, you may be able to avoid the use of the start scripts by running the application directly with the Java command.

Related

cve 1
alpinelinux 1
osv 2
veracode 1
debiancve 1
cnvd 1
nessus 1
prion 1
cvelist 1
nvd 1
ubuntucve 1
cve
cve
CVE-2021-32751
2021-07-20 23:15:37
alpinelinux
alpinelinux
CVE-2021-32751
2021-07-20 23:15:37
osv
osv
BIT-gradle-2021-32751
2024-03-06 10:54:32
CVE-2021-32751
2021-07-20 23:15:37
veracode
veracode
Remote Code Execution (RCE)
2021-10-23 11:32:21
debiancve
debiancve
CVE-2021-32751
2021-07-20 23:15:37
cnvd
cnvd
Gradle OS Command Injection Vulnerability
2021-07-22 00:00:00
nessus
nessus
SUSE SLED15 / SLES15 / openSUSE 15 Security Update : gradle (SUSE-SU-2023:2203-1)
2023-05-16 00:00:00
prion
prion
Command injection
2021-07-20 23:15:00
cvelist
cvelist
CVE-2021-32751 Arbitrary code execution via specially crafted environment variables
2021-07-20 22:55:12
nvd
nvd
CVE-2021-32751
2021-07-20 23:15:37
ubuntucve
ubuntucve
CVE-2021-32751
2021-07-20 00:00:00

8.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:S/C:C/I:C/A:C

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

0.013 Low

EPSS

Percentile

86.0%

JSON
Related for RH:CVE-2021-32751
cve1alpinelinux1osv2veracode1debiancve1cnvd1nessus1prion1cvelist1nvd1ubuntucve1