Cyber Resilience

CVE-2024-46881

High

Published: 26 January 2025

Published
26 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0003 9.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-46881 is a high-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability in Gradle Enterprise (inferred from references). Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Information Repositories (T1213); ranked at the 9.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-3 (Configuration Change Control) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-46881 is an Incorrect Access Control vulnerability (CWE-732) in Develocity (formerly Gradle Enterprise) versions before 2024.1.8. The flaw stems from incomplete migration functionality when upgrading Enterprise Config schema from version 8 to versions 9 or 10. During affected upgrades, the projects section of the configuration is omitted, resetting project settings to defaults—including projects.enabled set to false—which disables project-level access control and exposes previously restricted project information.

The vulnerability requires administrator access to trigger an upgrade, as external attackers cannot force it. Specific scenarios include upgrading Develocity 2023.3.X to 2023.4.X, 2023.3.X to 2024.1.X up to 2024.1.7, or 2023.4.X to 2024.1.X up to 2024.1.7. Once triggered, it grants unauthorized access to restricted project data, achieving high confidentiality impact with low privileges (CVSS 7.1: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N).

The Gradle security advisory (https://security.gradle.com/advisory/2024-03) addresses this issue. Mitigation requires upgrading to Develocity 2024.1.8 or later, where migration correctly preserves the projects configuration section, preventing the reset to defaults.

EU & UK References

Vulnerability details

Develocity (formerly Gradle Enterprise) before 2024.1.8 has Incorrect Access Control. Project-level access control configuration was introduced in Enterprise Config schema version 8. Migration functionality from schema version 8 to versions 9 and 10 (in affected vulnerable versions) does not include…

more

the projects section of the configuration. This leads to all of the project settings being reset to their defaults when the old schema is loaded. In the case of projects.enabled, the default is false. Thus, using an enterprise config v8 results in Project level access control being disabled, even if it was previously enabled, and previously restricted project information disclosed. Most commonly, this occurs when a Develocity instance is upgraded from an earlier version. Specifically, this occurs if: Develocity 2023.3.X is upgraded to 2023.4.X; Develocity 2023.3.X is upgraded to 2024.1.X up to and including 2024.1.7; or Develocity 2023.4.X is upgraded to 2024.1.X up to and including 2024.1.7. The flaw does not occur when upgrading to a fixed version. An upgrade can only be triggered via administrator access, and cannot be forced by an external attacker.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1213 Data from Information Repositories Collection
Adversaries may leverage information repositories to mine valuable information.
Why these techniques?

Incorrect access control reset during upgrade directly bypasses project restrictions, enabling unauthorized retrieval of data from the application's information repositories (T1213).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21564Shared CWE-732
CVE-2025-27688Shared CWE-732
CVE-2019-25344Shared CWE-732
CVE-2026-24291Shared CWE-732
CVE-2026-22676Shared CWE-732
CVE-2025-1067Shared CWE-732
CVE-2025-62575Shared CWE-732
CVE-2025-0066Shared CWE-732
CVE-2019-25343Shared CWE-732
CVE-2026-2637Shared CWE-732

Affected Assets

Gradle
Enterprise
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the configuration migration flaw by upgrading to Develocity 2024.1.8 or later, directly preventing the access control reset.

prevent

Mandates control, review, testing, and approval of configuration changes during upgrades to ensure project-level access controls are preserved and not reset to defaults.

prevent

Establishes and verifies secure configuration settings for project-level access enforcement, including post-upgrade checks to confirm they remain enabled.

References