Vulnerable Gradle plugin-publish plugin reveals sensitive information
March 31, 2020
0 mins readJust a few days ago, on March 27, a security vulnerability was disclosed and published — CVE-2020-7599 — on Gradle's plugin-publish plugin. It affects all versions of the package below 0.11.0. The vulnerability was found on March 4 by Danny Thomas, Developer Productivity at Netflix, and reported to Gradle straight away.
Sensitive information
The issue found in this package is a so-called “Insertion of Sensitive Information” vulnerability. In this particular case, the package displays sensitive information in the log file. When a plugin author publishes a Gradle plugin using the com.gradle.plugin-publish
Gradle plugin, a pre-signed AWS URL is passed to the plugin. If the Gradle build is run with --info or below, this URL is published in the log file. If this build log is publicly visible, like it is with many public CI systems, this URL can be used for a malicious attack. An example of such a data leakage is shown in this public CI build by Danny Thomas.
Possible attack
The URL is valid for one hour and could be reused. This means that an attacker could use this URL to replace a recently uploaded plugin with a malicious package. After investigating the issue, Gradle states that no artifacts were replaced. It is also important to say that by default the URL is not shown in the logs as the default log level is LIFECYCLE
according to the Gradle docs.
Remediation
Gradle, in response, released a new version of the publish plugin that reduces the log level of the URL. The advice is to update the plugin-publish plugin to version 0.11.0. In addition, make sure that you do not run Gradle with --debug log level as that still exposes the URL. In general, it is considered very dangerous to lower the log level when the logs are publicly visible.Next to releasing a patched version of the plugin, Gradle also shortened the lifespan of the pre-signed URL to shorten the attack window. Read more on their security blog.
Get started in capture the flag
Learn how to solve capture the flag challenges by watching our virtual 101 workshop on demand.