Vulnerable Gradle plugin-publish plugin reveals sensitive information

Just a few days ago, on March 27, a security vulnerability was disclosed and published — CVE-2020-7599 — on Gradle's plugin-publish plugin. It affects all versions of the package below 0.11.0. The vulnerability was found on March 4 by Danny Thomas, Developer Productivity at Netflix, and reported to Gradle straight away.

Sensitive information

The issue found in this package is a so-called “Insertion of Sensitive Information” vulnerability. In this particular case, the package displays sensitive information in the log file. When a plugin author publishes a Gradle plugin using the com.gradle.plugin-publish Gradle plugin, a pre-signed AWS URL is passed to the plugin. If the Gradle build is run with --info or below, this URL is published in the log file. If this build log is publicly visible, like it is with many public CI systems, this URL can be used for a malicious attack. An example of such a data leakage is shown in this public CI build by Danny Thomas.

Possible attack

The URL is valid for one hour and could be reused. This means that an attacker could use this URL to replace a recently uploaded plugin with a malicious package. After investigating the issue, Gradle states that no artifacts were replaced. It is also important to say that by default the URL is not shown in the logs as the default log level is LIFECYCLE according to the Gradle docs.

Remediation

Gradle, in response, released a new version of the publish plugin that reduces the log level of the URL. The advice is to update the plugin-publish plugin to version 0.11.0. In addition, make sure that you do not run Gradle with --debug log level as that still exposes the URL. In general, it is considered very dangerous to lower the log level when the logs are publicly visible.Next to releasing a patched version of the plugin, Gradle also shortened the lifespan of the pre-signed URL to shorten the attack window. Read more on their security blog.