CVE-2024-46881
Published: 26 January 2025
Summary
CVE-2024-46881 is a high-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability in Gradle Enterprise (inferred from references). Its CVSS base score is 7.1 (High).
Operationally, ranked at the 9.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-3 (Configuration Change Control) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of the configuration migration flaw by upgrading to Develocity 2024.1.8 or later, directly preventing the access control reset.
Mandates control, review, testing, and approval of configuration changes during upgrades to ensure project-level access controls are preserved and not reset to defaults.
Establishes and verifies secure configuration settings for project-level access enforcement, including post-upgrade checks to confirm they remain enabled.
NVD Description
Develocity (formerly Gradle Enterprise) before 2024.1.8 has Incorrect Access Control. Project-level access control configuration was introduced in Enterprise Config schema version 8. Migration functionality from schema version 8 to versions 9 and 10 (in affected vulnerable versions) does not include…
more
the projects section of the configuration. This leads to all of the project settings being reset to their defaults when the old schema is loaded. In the case of projects.enabled, the default is false. Thus, using an enterprise config v8 results in Project level access control being disabled, even if it was previously enabled, and previously restricted project information disclosed. Most commonly, this occurs when a Develocity instance is upgraded from an earlier version. Specifically, this occurs if: Develocity 2023.3.X is upgraded to 2023.4.X; Develocity 2023.3.X is upgraded to 2024.1.X up to and including 2024.1.7; or Develocity 2023.4.X is upgraded to 2024.1.X up to and including 2024.1.7. The flaw does not occur when upgrading to a fixed version. An upgrade can only be triggered via administrator access, and cannot be forced by an external attacker.
Deeper analysisAI
CVE-2024-46881 is an Incorrect Access Control vulnerability (CWE-732) in Develocity (formerly Gradle Enterprise) versions before 2024.1.8. The flaw stems from incomplete migration functionality when upgrading Enterprise Config schema from version 8 to versions 9 or 10. During affected upgrades, the projects section of the configuration is omitted, resetting project settings to defaults—including projects.enabled set to false—which disables project-level access control and exposes previously restricted project information.
The vulnerability requires administrator access to trigger an upgrade, as external attackers cannot force it. Specific scenarios include upgrading Develocity 2023.3.X to 2023.4.X, 2023.3.X to 2024.1.X up to 2024.1.7, or 2023.4.X to 2024.1.X up to 2024.1.7. Once triggered, it grants unauthorized access to restricted project data, achieving high confidentiality impact with low privileges (CVSS 7.1: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N).
The Gradle security advisory (https://security.gradle.com/advisory/2024-03) addresses this issue. Mitigation requires upgrading to Develocity 2024.1.8 or later, where migration correctly preserves the projects configuration section, preventing the reset to defaults.
Details
- CWE(s)