Professional Documents
Culture Documents
XSS - Part 6
XSS - Part 6
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product: Gradle Enterprise [1]
# Vendor: Gradle
# CSNC ID: CSNC-2020-015
# CVE ID: CVE-2020-15768
# Subject: Potential disclosure of session cookies via header reflection
# Risk: Low
# Effect: Remotely exploitable
# Author: Marat Aytuganov <marat.aytuganov@compass-security.com>
# Date: 12.10.2020
#
#############################################################
Introduction
------------
Gradle Enterprise is the tool of choice for the world’s most valuable global
business and technology brands that compete on the delivery speed and quality
of their code. Gradle Enterprise leverages acceleration technologies to speed
up the software build and test process and data analytics to make
troubleshooting more efficient. It is a key enabling technology for the
emerging discipline of Developer Productivity Engineering. [1]
Affected
--------
Vulnerable:
* Gradle Enterprise 2017.3 - 2020.2.4
* Gradle Enterprise Build Cache Node 1.0 - 9.2
Not vulnerable:
* 2020.2.5
Technical Description
---------------------
Gradle Enterprise exposes endpoints, which reflect the HTTP request headers
in the body of the HTTP response. These endpoints can be used in a Cross-Site
Scripting (see CVE-2020-15769) attack to extract authentications Cookies that
are protected with the HttpOnly flag and steal sessions of users and
administrators.
/info/headers
/cache-info/headers
/admin-info/headers
/distribution-broker-info/headers
/cache-node-info/headers
Workaround / Fix
----------------
Upgrade to Gradle Enterprise 2020.2.5 or later.
Timeline
--------
2020-06-26: Discovery by Marat Aytuganov
2020-06-26: Initial vendor notification
2020-06-26: Initial vendor response
2020-09-15: Assigned CVE-2020-15768
2020-07-13: Release of fixed Version / Patch
References
----------
[1] https://gradle.com/gradle-enterprise-solution-overview/