Base Score

MEDIUM6.5

CVE-2020-7599

All versions of com.gradle.plugin-publish before 0.11.0 are vulnerable to Insertion of Sensitive Information into Log File. When a plugin author publishes a Gradle plugin while running Gradle with the --info log level flag, the Gradle Logger logs an AWS pre-signed URL. If this build log is publicly visible (as it is in many popular public CI systems like TravisCI) this AWS pre-signed URL would allow a malicious actor to replace a recently uploaded plugin with their own.

VectorADJACENT_NETWORK

Published Byreport@snyk.io

Published DateMar 30, 2020, 19:15

Affected Versions(2)

com.gradle.publish:plugin-publish-plugin(Maven)

Introduced0

Fixed0.11.0

LimitN/A

com.gradle.plugin-publish:com.gradle.plugin-publish.gradle.plugin(Maven)

Introduced0

Fixed0.11.0

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
com.gradle.publish:plugin-publish-plugin(Maven)	0	0.11.0	N/A
com.gradle.plugin-publish:com.gradle.plugin-publish.gradle.plugin(Maven)	0	0.11.0	N/A

Weakness Type (CWE):CWE-532

CVSS Metrics

Base Score

6.5

Vector String

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

ADJACENT_NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

NONE

Availability (A)

NONE

References

Base Score

MEDIUM6.5

Weakness Type (CWE):CWE-532

CVSS Metrics

Base Score

6.5

Vector String

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Severity

MEDIUM

Version

3.1

Attack Vector (AV)

ADJACENT_NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

NONE

Availability (A)

NONE