CVE-2022-25364
📋 TL;DR
Gradle Enterprise versions before 2021.4.2 had a default configuration allowing anonymous write access to the built-in build cache. This could allow attackers with network access to inject malicious cache entries that execute arbitrary code during builds. Organizations using vulnerable versions with default configurations are affected.
💻 Affected Systems
- Gradle Enterprise
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, or supply chain attacks through malicious builds.
Likely Case
Unauthorized code execution in build pipelines, potentially compromising build artifacts and downstream deployments.
If Mitigated
No impact if access controls are properly configured or the system is patched.
🎯 Exploit Status
Exploitation requires network access to the build cache and knowledge of cache protocols, but no authentication is needed with default settings.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2021.4.2 and later
Vendor Advisory: https://security.gradle.com/advisory/2022-02
Restart Required: Yes
Instructions:
1. Upgrade Gradle Enterprise to version 2021.4.2 or later. 2. Restart the Gradle Enterprise service. 3. Verify the built-in build cache now requires explicit access control configuration.
🔧 Temporary Workarounds
Configure Build Cache Access Controls
allManually configure access controls to restrict write access to authenticated users only.
Configure via Gradle Enterprise administration interface: Settings > Build Cache > Access Control
Disable Built-in Build Cache
allTemporarily disable the built-in build cache until patching is possible.
Disable via Gradle Enterprise administration interface: Settings > Build Cache > Disable Built-in Cache
🧯 If You Can't Patch
- Implement network segmentation to restrict access to Gradle Enterprise build cache ports
- Configure strict firewall rules to allow only trusted IPs to access the build cache service
🔍 How to Verify
Check if Vulnerable:
Check Gradle Enterprise version via admin interface or API. If version is below 2021.4.2 and built-in cache is enabled with default settings, system is vulnerable.Check Version:
curl -k https://<gradle-enterprise-host>/api/versionVerify Fix Applied:
Verify version is 2021.4.2 or later and that built-in cache requires explicit access control configuration.📡 Detection & Monitoring
Log Indicators:
- Unauthorized write attempts to build cache
- Unusual cache entry patterns or timestamps
Network Indicators:
- Unusual traffic to build cache ports (default 2031)
- Cache write requests from untrusted sources
SIEM Query:
source="gradle-enterprise" AND (event="cache_write" AND user="anonymous")