CVE-2020-15767

EPSS 0.14%
Veröffentlicht 18.09.2020 14:15:12
Zuletzt bearbeitet 21.11.2024 05:06:07
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

An issue was discovered in Gradle Enterprise before 2020.2.5. The cookie used to convey the CSRF prevention token is not annotated with the “secure” attribute, which allows an attacker with the ability to MITM plain HTTP requests to obtain it, if the user mistakenly uses a HTTP instead of HTTPS address to access the server. This cookie value could then be used to perform CSRF.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Gradle ≫ Enterprise Version < 2020.2.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.14%	0.299

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	1.6	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
nvd@nist.gov	2.6	4.9	2.9	AV:N/AC:H/Au:N/C:P/I:N/A:N

CWE-311 Missing Encryption of Sensitive Data

The product does not encrypt sensitive or critical information before storage or transmission.

https://github.com/gradle/gradle/security/advisories

Third Party Advisory

https://security.gradle.com/advisory/CVE-2020-15767

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-15767

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-15767

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-15767

EUVD