CVE-2021-21361 : The `com.bmuschko:gradle-vagrant-plugin` Gradle plugin contains an information disclosure vulnerability due to the loggi

The `com.bmuschko:gradle-vagrant-plugin` Gradle plugin contains an information disclosure vulnerability due to the logging of the system environment variables. When this Gradle plugin is executed in public CI/CD, this can lead to sensitive credentials being exposed to malicious actors. This is fixed in version 3.0.0.

Published 2021-03-09 01:15:13

Updated 2021-03-16 18:57:50

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Information leak

Exploit prediction scoring system (EPSS) score for CVE-2021-21361

Probability of exploitation activity in the next 30 days: 0.07%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 31 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2021-21361

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
3.3	LOW	AV:A/AC:L/Au:N/C:P/I:N/A:N	6.5	2.9	NIST
Access Vector: Adjacent Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
6.5	MEDIUM	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	2.8	3.6	NIST
Attack Vector: Adjacent Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None
5.3	MEDIUM	CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N	0.9	4.0	GitHub, Inc.
Attack Vector: Physical Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Changed Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2021-21361

CWE-532 Insertion of Sensitive Information into Log File

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2021-21361

https://github.com/bmuschko/gradle-vagrant-plugin/blob/292129f9343d00d391543fae06239e9b0f33db73/src/main/groovy/com/bmuschko/gradle/vagrant/process/GDKExternalProcessExecutor.groovy#L42-L44

gradle-vagrant-plugin/GDKExternalProcessExecutor.groovy at 292129f9343d00d391543fae06239e9b0f33db73 · bmuschko/gradle-vagrant-plugin · GitHub
Exploit;Third Party Advisory
https://github.com/bmuschko/gradle-vagrant-plugin/pull/20

Don't print environment by britter · Pull Request #20 · bmuschko/gradle-vagrant-plugin · GitHub
Patch;Third Party Advisory
https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-jpcm-4485-69p7

Sensitive information disclosure via log in com.bmuschko:gradle-vagrant-plugin · Advisory · JLLeitschuh/security-research · GitHub
Exploit;Third Party Advisory
https://github.com/bmuschko/gradle-vagrant-plugin/issues/19

Potential credentials leak when setting environmentVariables · Issue #19 · bmuschko/gradle-vagrant-plugin · GitHub
Patch;Third Party Advisory

Products affected by CVE-2021-21361

Vagrant Project » Vagrant » For Gradle
Versions before (<) 0.6
cpe:2.3:a:vagrant_project:vagrant:*:*:*:*:*:gradle:*:*
Matching versions
Vagrant Project » Vagrant » For Gradle
Versions from including (>=) 2.0 and before (<) 3.0.0
cpe:2.3:a:vagrant_project:vagrant:*:*:*:*:*:gradle:*:*
Matching versions

Vulnerability Details : CVE-2021-21361

Exploit prediction scoring system (EPSS) score for CVE-2021-21361

CVSS scores for CVE-2021-21361

CWE ids for CVE-2021-21361

References for CVE-2021-21361

Products affected by CVE-2021-21361