GHSA-cv78-v957-jx34

Source

https://github.com/advisories/GHSA-cv78-v957-jx34

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-cv78-v957-jx34/GHSA-cv78-v957-jx34.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-cv78-v957-jx34

Aliases

CVE-2020-7599

Published

2022-05-24T17:12:57Z

Modified

2026-03-13T21:56:32.598063Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Exposure of Sensitive Information in Gradle publish plugin

Details

All versions of com.gradle.plugin-publish before 0.11.0 are vulnerable to Insertion of Sensitive Information into Log File. When a plugin author publishes a Gradle plugin while running Gradle with the --info log level flag, the Gradle Logger logs an AWS pre-signed URL. If this build log is publicly visible (as it is in many popular public CI systems like TravisCI) this AWS pre-signed URL would allow a malicious actor to replace a recently uploaded plugin with their own.

Database specific

{
    "cwe_ids": [
        "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-27T22:17:45Z",
    "nvd_published_at": "2020-03-30T19:15:00Z",
    "severity": "MODERATE"
}

References

Affected packages

Maven

com.gradle.publish:plugin-publish-plugin

Package

Name: com.gradle.publish:plugin-publish-plugin; View open source insights on deps.dev
Purl: pkg:maven/com.gradle.publish/plugin-publish-plugin

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.11.0

Affected versions

0.*

0.9.0

0.9.1

0.9.2

0.9.3

0.9.4

0.9.5

0.9.6

0.9.7

0.9.8

0.9.9

0.9.10

0.10.0

0.10.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-cv78-v957-jx34/GHSA-cv78-v957-jx34.json"

com.gradle.plugin-publish:com.gradle.plugin-publish.gradle.plugin