CVE-2024-46881
Published: 26 January 2025
Summary
CVE-2024-46881 is a high-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability in Gradle Enterprise (inferred from references). Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Information Repositories (T1213); ranked at the 9.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-3 (Configuration Change Control) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-46881 is an Incorrect Access Control vulnerability (CWE-732) in Develocity (formerly Gradle Enterprise) versions before 2024.1.8. The flaw stems from incomplete migration functionality when upgrading Enterprise Config schema from version 8 to versions 9 or 10. During affected upgrades, the projects section of the configuration is omitted, resetting project settings to defaults—including projects.enabled set to false—which disables project-level access control and exposes previously restricted project information.
The vulnerability requires administrator access to trigger an upgrade, as external attackers cannot force it. Specific scenarios include upgrading Develocity 2023.3.X to 2023.4.X, 2023.3.X to 2024.1.X up to 2024.1.7, or 2023.4.X to 2024.1.X up to 2024.1.7. Once triggered, it grants unauthorized access to restricted project data, achieving high confidentiality impact with low privileges (CVSS 7.1: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N).
The Gradle security advisory (https://security.gradle.com/advisory/2024-03) addresses this issue. Mitigation requires upgrading to Develocity 2024.1.8 or later, where migration correctly preserves the projects configuration section, preventing the reset to defaults.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-42218
Vulnerability details
Develocity (formerly Gradle Enterprise) before 2024.1.8 has Incorrect Access Control. Project-level access control configuration was introduced in Enterprise Config schema version 8. Migration functionality from schema version 8 to versions 9 and 10 (in affected vulnerable versions) does not include…
more
the projects section of the configuration. This leads to all of the project settings being reset to their defaults when the old schema is loaded. In the case of projects.enabled, the default is false. Thus, using an enterprise config v8 results in Project level access control being disabled, even if it was previously enabled, and previously restricted project information disclosed. Most commonly, this occurs when a Develocity instance is upgraded from an earlier version. Specifically, this occurs if: Develocity 2023.3.X is upgraded to 2023.4.X; Develocity 2023.3.X is upgraded to 2024.1.X up to and including 2024.1.7; or Develocity 2023.4.X is upgraded to 2024.1.X up to and including 2024.1.7. The flaw does not occur when upgrading to a fixed version. An upgrade can only be triggered via administrator access, and cannot be forced by an external attacker.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Incorrect access control reset during upgrade directly bypasses project restrictions, enabling unauthorized retrieval of data from the application's information repositories (T1213).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of the configuration migration flaw by upgrading to Develocity 2024.1.8 or later, directly preventing the access control reset.
Mandates control, review, testing, and approval of configuration changes during upgrades to ensure project-level access controls are preserved and not reset to defaults.
Establishes and verifies secure configuration settings for project-level access enforcement, including post-upgrade checks to confirm they remain enabled.