CVE-2021-41619

EPSS 2.28%
Published 27.10.2021 14:15:07
Last modified 21.11.2024 06:26:32
Source cve@mitre.org
Teams watchlist Login
Open Login

An issue was discovered in Gradle Enterprise before 2021.1.2. There is potential remote code execution via the application startup configuration. The installation configuration user interface (available to administrators) allows specifying arbitrary Java Virtual Machine startup options. Some of these options, such as -XX:OnOutOfMemoryError, allow specifying a command to be run on the host. This can be abused to run arbitrary commands on the host, should an attacker gain administrative access to the application.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Gradle ≫ Enterprise Version >= 2020.4 < 2021.1.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	2.28%	0.831

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	9	8	10	AV:N/AC:L/Au:S/C:C/I:C/A:C

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://security.gradle.com

Vendor Advisory

https://security.gradle.com/advisory/2021-08

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-41619

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-41619

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-41619

EUVD