CVE-2020-15776

An issue was discovered in Gradle Enterprise 2018.2 - 2020.2.4. The CSRF prevention token is stored in a request cookie that is not annotated as HttpOnly. An attacker with the ability to execute arbitrary code in a user's browser could impose an arbitrary value for this token, allowing them to perform cross-site request forgery.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 68%
VendorProductVersion
gradleenterprise
2018.2 ≤
𝑥
≤ 2020.2.4
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://cwe.mitre.org/data/definitions/1004.html
https://github.com/gradle/gradle/security/advisories
https://security.gradle.com/advisory/CVE-2020-15776
https://cwe.mitre.org/data/definitions/1004.html
https://github.com/gradle/gradle/security/advisories
https://security.gradle.com/advisory/CVE-2020-15776