In Gradle Enterprise before 2023.1, a remote attacker may be able to gain access to a new installation (in certain installation scenarios) because of a non-unique initial system user password. Although this password must be changed upon the first login, it is possible that an attacker logs in before the legitimate administrator logs in.
During Gradle Enterprise installation, an initial system user is created with a non-unique, predictable password. This password must be changed on first login; however, if an attacker remotely logs in as this user before the legitimate administrator, they take control of the account. The vulnerability affects only new installations in specific configuration scenarios.
An attacker can gain full access to a new Gradle Enterprise installation, resulting in breach of confidentiality, integrity, and availability of the system (CWE-521 — weak password requirements).
Update Gradle Enterprise to version 2023.1 or later. Until the update is applied, immediately after installation, log in as administrator and change the password of the default system user. Details are available in the vendor advisory: https://security.gradle.com/advisory/2023-01
Gradle Enterprise versions prior to 2023.1, only new installations in specific deployment scenarios
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HGradle Enterprise
APPGradle< 2023.1
Related vulnerabilities
Gradle Enterprise before 2022.1 allows remote code execution if the installation process did not specify an in...
In Gradle Enterprise before 2021.3 (and Enterprise Build Cache Node before 10.0), there is potential cache poi...
In Gradle Enterprise before 2018.5.3, Build Cache Nodes did not store the credentials at rest in an encrypted ...
In Gradle Enterprise before 2018.5.2, Build Cache Nodes would reflect the configured password back when viewin...
A credential-exposure vulnerability in the support-bundle mechanism in Gradle Enterprise 2022.3 through 2022.3...