CVE-2024-46881
📋 TL;DR
This vulnerability in Develocity (formerly Gradle Enterprise) allows unauthorized access to project information due to incorrect access control during configuration migration. When upgrading from vulnerable versions, project-level access control settings are reset to defaults, potentially exposing previously restricted data. Only administrators performing upgrades are affected, not external attackers.
💻 Affected Systems
- Develocity (formerly Gradle Enterprise)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
All project-level access controls become disabled, exposing sensitive project information to unauthorized users who should have been restricted.
Likely Case
During upgrade scenarios, project access controls are inadvertently disabled, potentially allowing internal users to access projects they shouldn't see.
If Mitigated
With proper upgrade procedures to fixed versions, no exposure occurs as the migration correctly preserves access control settings.
🎯 Exploit Status
Exploitation requires administrator access to trigger upgrade process. Cannot be forced by external attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.1.8 or later
Vendor Advisory: https://security.gradle.com/advisory/2024-03
Restart Required: No
Instructions:
1. Upgrade Develocity to version 2024.1.8 or later. 2. If already on vulnerable version (2024.1.0-2024.1.7), upgrade immediately to 2024.1.8+. 3. Verify project access control settings after upgrade.
🔧 Temporary Workarounds
Skip vulnerable upgrade paths
allAvoid upgrading through vulnerable version combinations by upgrading directly to fixed versions
🧯 If You Can't Patch
- Audit all project access control settings after any upgrade operation
- Implement additional network segmentation and access controls around Develocity instances
🔍 How to Verify
Check if Vulnerable:
Check Develocity version: if version is 2024.1.0 through 2024.1.7 AND was upgraded from 2023.3.X or 2023.4.X, the system is vulnerable.Check Version:
Check Develocity administration interface or configuration files for version informationVerify Fix Applied:
Verify Develocity version is 2024.1.8 or later, and confirm project access control settings are properly configured and functioning.📡 Detection & Monitoring
Log Indicators:
- Configuration migration logs showing schema version changes
- Access logs showing unauthorized project access after upgrades
Network Indicators:
- Increased internal access to previously restricted project endpoints
SIEM Query:
Search for: (event_type="configuration_change" AND old_version="8" AND new_version IN ("9","10")) OR (event_type="unauthorized_access" AND resource_type="project")