CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2023-49238

CVSS 9.8v3.1pub. 2024-01-09upd. 2025-06-17

In Gradle Enterprise before 2023.1, a remote attacker may be able to gain access to a new installation (in certain installation scenarios) because of a non-unique initial system user password. Although this password must be changed upon the first login, it is possible that an attacker logs in before the legitimate administrator logs in.

🤖 AI Analysis
How it works

During Gradle Enterprise installation, an initial system user is created with a non-unique, predictable password. This password must be changed on first login; however, if an attacker remotely logs in as this user before the legitimate administrator, they take control of the account. The vulnerability affects only new installations in specific configuration scenarios.

Impact

An attacker can gain full access to a new Gradle Enterprise installation, resulting in breach of confidentiality, integrity, and availability of the system (CWE-521 — weak password requirements).

Mitigation & patch

Update Gradle Enterprise to version 2023.1 or later. Until the update is applied, immediately after installation, log in as administrator and change the password of the default system user. Details are available in the vendor advisory: https://security.gradle.com/advisory/2023-01

Who is affected

Gradle Enterprise versions prior to 2023.1, only new installations in specific deployment scenarios

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Gradle Enterprise

    APP
    Gradle
    < 2023.1
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2022-27919CRITICAL9.8ten sam produkt

Gradle Enterprise before 2022.1 allows remote code execution if the installation process did not specify an in...

CVE-2021-41589CRITICAL9.8ten sam produkt

In Gradle Enterprise before 2021.3 (and Enterprise Build Cache Node before 10.0), there is potential cache poi...

CVE-2019-11402CRITICAL9.8ten sam produkt

In Gradle Enterprise before 2018.5.3, Build Cache Nodes did not store the credentials at rest in an encrypted ...

CVE-2019-11403CRITICAL9.8ten sam produkt

In Gradle Enterprise before 2018.5.2, Build Cache Nodes would reflect the configured password back when viewin...

CVE-2022-41575HIGH7.5ten sam produkt

A credential-exposure vulnerability in the support-bundle mechanism in Gradle Enterprise 2022.3 through 2022.3...