CVE-2020-7599 (GCVE-0-2020-7599)

Vulnerability from cvelistv5 – Published: 2020-03-30 18:20 – Updated: 2024-08-04 09:33
VLAI
Summary
All versions of com.gradle.plugin-publish before 0.11.0 are vulnerable to Insertion of Sensitive Information into Log File. When a plugin author publishes a Gradle plugin while running Gradle with the --info log level flag, the Gradle Logger logs an AWS pre-signed URL. If this build log is publicly visible (as it is in many popular public CI systems like TravisCI) this AWS pre-signed URL would allow a malicious actor to replace a recently uploaded plugin with their own.
Severity
6.5 (Medium)
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE
  • Insertion of Sensitive Information into Log File
Assigner
References
Impacted products
Vendor Product Version
n/a com.gradle.plugin-publish Affected: all versions before 0.11.0
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T09:33:19.912Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://snyk.io/vuln/SNYK-JAVA-COMGRADLEPLUGINPUBLISH-559866"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://blog.gradle.org/plugin-portal-update"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "com.gradle.plugin-publish",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "all versions before 0.11.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "All versions of com.gradle.plugin-publish before 0.11.0 are vulnerable to Insertion of Sensitive Information into Log File. When a plugin author publishes a Gradle plugin while running Gradle with the --info log level flag, the Gradle Logger logs an AWS pre-signed URL. If this build log is publicly visible (as it is in many popular public CI systems like TravisCI) this AWS pre-signed URL would allow a malicious actor to replace a recently uploaded plugin with their own."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Insertion of Sensitive Information into Log File",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-03-30T18:20:45.000Z",
        "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "shortName": "snyk"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://snyk.io/vuln/SNYK-JAVA-COMGRADLEPLUGINPUBLISH-559866"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://blog.gradle.org/plugin-portal-update"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "report@snyk.io",
          "ID": "CVE-2020-7599",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "com.gradle.plugin-publish",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "all versions before 0.11.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "All versions of com.gradle.plugin-publish before 0.11.0 are vulnerable to Insertion of Sensitive Information into Log File. When a plugin author publishes a Gradle plugin while running Gradle with the --info log level flag, the Gradle Logger logs an AWS pre-signed URL. If this build log is publicly visible (as it is in many popular public CI systems like TravisCI) this AWS pre-signed URL would allow a malicious actor to replace a recently uploaded plugin with their own."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Insertion of Sensitive Information into Log File"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://snyk.io/vuln/SNYK-JAVA-COMGRADLEPLUGINPUBLISH-559866",
              "refsource": "MISC",
              "url": "https://snyk.io/vuln/SNYK-JAVA-COMGRADLEPLUGINPUBLISH-559866"
            },
            {
              "name": "https://blog.gradle.org/plugin-portal-update",
              "refsource": "MISC",
              "url": "https://blog.gradle.org/plugin-portal-update"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
    "assignerShortName": "snyk",
    "cveId": "CVE-2020-7599",
    "datePublished": "2020-03-30T18:20:45.000Z",
    "dateReserved": "2020-01-21T00:00:00.000Z",
    "dateUpdated": "2024-08-04T09:33:19.912Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2020-7599",
      "date": "2026-06-08",
      "epss": "0.00181",
      "percentile": "0.39569"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-7599\",\"sourceIdentifier\":\"report@snyk.io\",\"published\":\"2020-03-30T19:15:17.467\",\"lastModified\":\"2024-11-21T05:37:27.023\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"All versions of com.gradle.plugin-publish before 0.11.0 are vulnerable to Insertion of Sensitive Information into Log File. When a plugin author publishes a Gradle plugin while running Gradle with the --info log level flag, the Gradle Logger logs an AWS pre-signed URL. If this build log is publicly visible (as it is in many popular public CI systems like TravisCI) this AWS pre-signed URL would allow a malicious actor to replace a recently uploaded plugin with their own.\"},{\"lang\":\"es\",\"value\":\"Todas las versiones de com.gradle.plugin-publishing anteriores a 0.11.0, son vulnerables a la Inserci\u00f3n de Informaci\u00f3n Confidencial en el Archivo de Registro (Log File). Cuando un autor del plugin publica un plugin de Gradle mientras ejecuta Gradle con el flag de nivel de registro --info, Gradle Logger registra una URL pre-firmada de AWS. Si este registro de compilaci\u00f3n es visible p\u00fablicamente (como lo es en muchos sistemas de CI p\u00fablicos populares como TravisCI), esta URL pre-firmada por AWS permitir\u00eda que un actor malicioso reemplace un plugin subido recientemente por el suyo.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:A/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":3.3,\"accessVector\":\"ADJACENT_NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":6.5,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-532\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gradle:plugin_publishing:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.11.0\",\"matchCriteriaId\":\"7375D0C7-B1FD-4EAD-A388-F9CA9A14F222\"}]}]}],\"references\":[{\"url\":\"https://blog.gradle.org/plugin-portal-update\",\"source\":\"report@snyk.io\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://snyk.io/vuln/SNYK-JAVA-COMGRADLEPLUGINPUBLISH-559866\",\"source\":\"report@snyk.io\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://blog.gradle.org/plugin-portal-update\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://snyk.io/vuln/SNYK-JAVA-COMGRADLEPLUGINPUBLISH-559866\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.