Is CVE-2022-27225 actively exploited?

CVE-2022-27225 has no public evidence of in-the-wild exploitation as of 2024-11-21.

What is the CVSS score for CVE-2022-27225?

CVE-2022-27225 has a CVSS score of 6.5 (MEDIUM severity). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N.

How do I patch CVE-2022-27225?

Patch guidance is available from gradle security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2022-27225.

CVE-2022-27225 - remediation guidance & executive summary

Description

Gradle Enterprise before 2021.4.3 relies on cleartext data transmission in some situations. It uses Keycloak for identity management services. During the sign-in process, Keycloak sets browser cookies that effectively provide remember-me functionality. For backwards compatibility with older Safari versions, Keycloak sets a duplicate of the cookie without the Secure attribute, which allows the cookie to be sent when accessing the location that cookie is set for via HTTP. This creates the potential for an attacker (with the ability to impersonate the Gradle Enterprise host) to capture the login session of a user by having them click an http:// link to the server, despite the real server requiring HTTPS.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector: network
Complexity: low
Privileges: none
User Action: required
Scope: unchanged
Confidentiality: high
Integrity: none
Availability: none
Weaknesses: CWE-311

Metadata

Primary Vendor: GRADLE
Published: 3/16/2022
Last Modified: 11/21/2024
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

CVE-2022-27225

Description

CVSS Metrics

Metadata

Affected Products

Remediation Guidance

Executive Summary