NVD Vulnerability Detail

CVE-2021-29429

Summary	In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded into the system temporary directory first. Sensitive information contained in these files can be exposed to other local users on the same system. If you do not use the `TextResourceFactory` API, you are not vulnerable. As of Gradle 7.0, uses of the system temporary directory have been moved to the Gradle User Home directory. By default, this directory is restricted to the user running the build. As a workaround, set a more restrictive umask that removes read access to other users. When files are created in the system temporary directory, they will not be accessible to other users. If you are unable to change your system's umask, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only.
Publication Date	April 13, 2021, 7:15 a.m.
Registration Date	April 13, 2021, 10:04 a.m.
Last Update	Nov. 21, 2024, 3:01 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:gradle:gradle::::::::					7.0

Configuration2		or higher	or less	more than	less than
cpe:2.3:a:quarkus:quarkus::::::::			2.2.3

Related information, measures and tools

No	URL	タグ
1	https://docs.gradle.org/7.0/release-notes.html#security-advisories	Release Notes Vendor Advisory
2	https://docs.gradle.org/7.0/release-notes.html#security-advisories	Release Notes Vendor Advisory
3	https://github.com/gradle/gradle/security/advisories/GHSA-fp8h-qmr5-j4c8	Exploit Mitigation Third Party Advisory
4	https://github.com/gradle/gradle/security/advisories/GHSA-fp8h-qmr5-j4c8	Exploit Mitigation Third Party Advisory

Common Vulnerabilities List

JVN Vulnerability Information

Gradle における安全でない一時ファイルに関する脆弱性

Title	Gradle における安全でない一時ファイルに関する脆弱性
Summary	Gradle には、安全でない一時ファイルに関する脆弱性が存在します。
Possible impacts	情報を取得される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	April 10, 2021, midnight
Registration Date	Dec. 21, 2021, 2:08 p.m.
Last Update	Dec. 21, 2021, 2:08 p.m.

Affected System

Quarkus

Gradle Inc.

Gradle 7.0 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2021-29429	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29429
National Vulnerability Database (NVD)
2	CVE-2021-29429	https://nvd.nist.gov/vuln/detail/CVE-2021-29429

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-377	https://cwe.mitre.org/data/definitions/377.html

ベンダー情報

No	Name	URL
GitHub
1	Information disclosure through temporary directory permissions	https://github.com/gradle/gradle/security/advisories/GHSA-fp8h-qmr5-j4c8
Gradle
2	Gradle Release Notes	https://docs.gradle.org/7.0/release-notes.html#security-advisories
Quarkus
3	Quarkus	https://quarkus.io/

Change Log

No	Changed Details	Date of change
1	[2021年12月21日] 掲載	Dec. 21, 2021, 2:08 p.m.