Git Product home page Git Product logo

turkdevops / gradle Goto Github PK

View Code? Open in Web Editor NEW

This project forked from gradle/gradle

0.0 1.0 0.0 381.95 MB

Adaptable, fast automation for all

Home Page: https://gradle.org

License: Apache License 2.0

Groovy 45.94% Java 44.09% Brainfuck 0.01% HTML 0.10% CSS 0.30% JavaScript 0.34% XSLT 0.07% GAP 0.01% Scala 0.02% Assembly 0.01% C 0.20% C++ 2.90% Objective-C 0.01% Objective-C++ 0.01% Shell 0.01% Kotlin 6.03% Python 0.01% Gherkin 0.01% Ruby 0.01% Swift 0.01%

gradle's Introduction

Gradle Logo

Revved up by Gradle Enterprise CII Best Practices

Gradle is a build tool with a focus on build automation and support for multi-language development. If you are building, testing, publishing, and deploying software on any platform, Gradle offers a flexible model that can support the entire development lifecycle from compiling and packaging code to publishing web sites. Gradle has been designed to support build automation across multiple languages and platforms including Java, Scala, Android, Kotlin, C/C++, and Groovy, and is closely integrated with development tools and continuous integration servers including Eclipse, IntelliJ, and Jenkins.

For more information, please visit the official project homepage

Getting Started

Stay in Flow

Enjoy first-class Gradle support in your IDE of choice.

Need Help?

Contributing

If you're looking to contribute to Gradle or provide a patch/pull request, you can find more info here.

This project adheres to the Gradle Code of Conduct. By participating, you are expected to uphold this code.

gradle's People

Contributors

adammurdoch avatar adrianbk avatar bamboo avatar big-guy avatar bigdaz avatar blindpirate avatar bot-gradle avatar bot-teamcity avatar breskeby avatar cbeams avatar donat avatar eriwen avatar eskatos avatar etiennestuder avatar freekh avatar ghale avatar hansd avatar jjohannes avatar ldaley avatar lhotari avatar ljacomet avatar lptr avatar marcphilipp avatar melix avatar mockitoguy avatar oehme avatar pniederw avatar radimk avatar rieske avatar wolfs avatar

Watchers

avatar

gradle's Issues

CVE-2019-17571 (High) detected in log4j-1.2.8.jar

CVE-2019-17571 - High Severity Vulnerability

Vulnerable Library - log4j-1.2.8.jar

Path to vulnerable library: /.2.8.jar

Dependency Hierarchy:

  • log4j-1.2.8.jar (Vulnerable Library)

Found in HEAD commit: 2731f430cbe595273e6858dba029ef5f2a2f3c30

Found in base branch: master

Vulnerability Details

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

Publish Date: 2019-12-20

URL: CVE-2019-17571

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E

Release Date: 2019-12-20

Fix Resolution: log4j-manual - 1.2.17-16;log4j-javadoc - 1.2.17-16;log4j - 1.2.17-16,1.2.17-16

Step up your Open Source Security Game with Mend here

CVE-2021-4104 (High) detected in log4j-1.2.8.jar

CVE-2021-4104 - High Severity Vulnerability

Vulnerable Library - log4j-1.2.8.jar

Path to vulnerable library: /.2.8.jar

Dependency Hierarchy:

  • log4j-1.2.8.jar (Vulnerable Library)

Found in HEAD commit: 2731f430cbe595273e6858dba029ef5f2a2f3c30

Found in base branch: master

Vulnerability Details

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2021-12-14

URL: CVE-2021-4104

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-4104

Release Date: 2021-12-14

Fix Resolution: uom-parent - 1.0.3-3.module,1.0.3-3.module;uom-se-javadoc - 1.0.4-3.module;parfait-examples - 0.5.4-4.module;log4j-manual - 1.2.17-16;si-units-javadoc - 0.6.5-2.module;unit-api - 1.0-5.module,1.0-5.module;unit-api-javadoc - 1.0-5.module;parfait - 0.5.4-4.module,0.5.4-4.module;log4j-javadoc - 1.2.17-16;uom-systems-javadoc - 0.7-1.module;uom-lib-javadoc - 1.0.1-6.module;uom-systems - 0.7-1.module,0.7-1.module;log4j - 1.2.17-16,1.2.17-16;uom-se - 1.0.4-3.module,1.0.4-3.module;uom-lib - 1.0.1-6.module,1.0.1-6.module;parfait-javadoc - 0.5.4-4.module;pcp-parfait-agent - 0.5.4-4.module;si-units - 0.6.5-2.module,0.6.5-2.module

Step up your Open Source Security Game with Mend here

CVE-2022-23302 (High) detected in log4j-1.2.8.jar

CVE-2022-23302 - High Severity Vulnerability

Vulnerable Library - log4j-1.2.8.jar

Path to vulnerable library: /.2.8.jar

Dependency Hierarchy:

  • log4j-1.2.8.jar (Vulnerable Library)

Found in HEAD commit: 2731f430cbe595273e6858dba029ef5f2a2f3c30

Found in base branch: master

Vulnerability Details

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2022-01-18

URL: CVE-2022-23302

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1

Step up your Open Source Security Game with Mend here

CVE-2021-29425 (Medium) detected in commons-io-2.1.jar

CVE-2021-29425 - Medium Severity Vulnerability

Vulnerable Library - commons-io-2.1.jar

The Commons IO library contains utility classes, stream implementations, file filters, file comparators and endian classes.

Library home page: http://commons.apache.org/io/

Path to vulnerable library: /-io-2.1.jar

Dependency Hierarchy:

  • commons-io-2.1.jar (Vulnerable Library)

Found in HEAD commit: 2731f430cbe595273e6858dba029ef5f2a2f3c30

Found in base branch: master

Vulnerability Details

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

Publish Date: 2021-04-13

URL: CVE-2021-29425

CVSS 3 Score Details (4.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425

Release Date: 2021-04-13

Fix Resolution: 2.7

Step up your Open Source Security Game with Mend here

CVE-2022-23305 (High) detected in log4j-1.2.8.jar

CVE-2022-23305 - High Severity Vulnerability

Vulnerable Library - log4j-1.2.8.jar

Path to vulnerable library: /.2.8.jar

Dependency Hierarchy:

  • log4j-1.2.8.jar (Vulnerable Library)

Found in HEAD commit: 2731f430cbe595273e6858dba029ef5f2a2f3c30

Found in base branch: master

Vulnerability Details

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2022-01-18

URL: CVE-2022-23305

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.2

Step up your Open Source Security Game with Mend here

CVE-2020-9493 (High) detected in log4j-1.2.8.jar

CVE-2020-9493 - High Severity Vulnerability

Vulnerable Library - log4j-1.2.8.jar

Path to vulnerable library: /.2.8.jar

Dependency Hierarchy:

  • log4j-1.2.8.jar (Vulnerable Library)

Found in HEAD commit: 2731f430cbe595273e6858dba029ef5f2a2f3c30

Found in base branch: master

Vulnerability Details

A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.

Publish Date: 2021-06-16

URL: CVE-2020-9493

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.openwall.com/lists/oss-security/2021/06/16/1

Release Date: 2021-06-16

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1

Step up your Open Source Security Game with Mend here

CVE-2022-23307 (High) detected in log4j-1.2.8.jar

CVE-2022-23307 - High Severity Vulnerability

Vulnerable Library - log4j-1.2.8.jar

Path to vulnerable library: /.2.8.jar

Dependency Hierarchy:

  • log4j-1.2.8.jar (Vulnerable Library)

Found in HEAD commit: 2731f430cbe595273e6858dba029ef5f2a2f3c30

Found in base branch: master

Vulnerability Details

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.

Publish Date: 2022-01-18

URL: CVE-2022-23307

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1

Step up your Open Source Security Game with Mend here

CVE-2020-9488 (Low) detected in log4j-1.2.8.jar

CVE-2020-9488 - Low Severity Vulnerability

Vulnerable Library - log4j-1.2.8.jar

Path to vulnerable library: /.2.8.jar

Dependency Hierarchy:

  • log4j-1.2.8.jar (Vulnerable Library)

Found in HEAD commit: 2731f430cbe595273e6858dba029ef5f2a2f3c30

Found in base branch: master

Vulnerability Details

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1

Publish Date: 2020-04-27

URL: CVE-2020-9488

CVSS 3 Score Details (3.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2020-04-27

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.3

Step up your Open Source Security Game with Mend here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.