Login Sign Up

CVE-2021-29428

8.8 HIGH

📋 TL;DR

This vulnerability allows local privilege escalation on Unix-like systems by exploiting insecure permissions in the system temporary directory. Attackers can delete and recreate files during Gradle builds, potentially gaining elevated privileges. It affects builds using precompiled Kotlin DSL script plugins or Gradle plugin tests with ProjectBuilder/TestKit.

💻 Affected Systems

Products:
  • Gradle
Versions: All versions before 7.0
Operating Systems: Unix-like systems (Linux, BSD, older macOS)
Default Config Vulnerable: ⚠️ Yes
Notes: Not vulnerable on Windows or modern macOS. Not vulnerable if system temporary directory has sticky bit set.

📦 What is this software?

Gradle by Gradle

View all CVEs affecting Gradle →

Quarkus by Quarkus

View all CVEs affecting Quarkus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains root/administrator privileges on the system, leading to complete system compromise.

🟠

Likely Case

Local user escalates privileges to another user account, potentially accessing sensitive build artifacts or configuration files.

🟢

If Mitigated

With sticky bit set or proper permissions, only original user can delete files, preventing privilege escalation.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring access to the system.
🏢 Internal Only: HIGH - Internal users with local access could exploit this to gain elevated privileges.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires local access and timing to delete/recreate files during specific build operations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.0

Vendor Advisory: https://docs.gradle.org/7.0/release-notes.html#security-advisories

Restart Required: No

Instructions:

1. Upgrade Gradle to version 7.0 or later. 2. Update build scripts to use new version. 3. Verify builds complete successfully.

🔧 Temporary Workarounds

Set sticky bit on temp directory

linux

Set sticky bit on system temporary directory to prevent other users from deleting files

chmod +t /tmp

Change Java temporary directory

all

Move Java temporary directory to a location with restricted permissions

export JAVA_OPTS="-Djava.io.tmpdir=/secure/tmp"
gradle build

🧯 If You Can't Patch

  • Ensure system temporary directory has sticky bit set (chmod +t /tmp)
  • Run Gradle builds with isolated temporary directories using java.io.tmpdir system property

🔍 How to Verify

Check if Vulnerable:

Check Gradle version with 'gradle --version' and verify if below 7.0. Check temp directory permissions with 'ls -ld /tmp' - should show 'drwxrwxrwt' for sticky bit.

Check Version:

gradle --version | grep Gradle

Verify Fix Applied:

Confirm Gradle version is 7.0+ with 'gradle --version'. Verify temp directory has sticky bit with 'ls -ld /tmp'.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file deletion/recreation in /tmp during builds
  • Permission denied errors in temp directory

Network Indicators:

  • None - local attack only

SIEM Query:

process.name:"gradle" AND file.path:"/tmp/*" AND file.action:"delete"

📊 Metadata

CVE ID: CVE-2021-29428
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-378
Published: April 13, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29428, you might also want to check these:

CVE-2024-39872 9.6

A privilege escalation vulnerability in SINEMA Remote Connect Server allows authenticated attackers ...

Same vulnerability type (CWE-378)
CVE-2025-32438 8.8

CVE-2025-32438 is a local privilege escalation vulnerability in make-initrd-ng on NixOS systems. Whe...

Same vulnerability type (CWE-378)
CVE-2025-27148 8.8

This vulnerability allows local privilege escalation on Unix-like systems when Gradle builds use vul...

Same vulnerability type (CWE-378)