CVE-2024-46881: High severity Gradle Develocity vulnerability

Published Jan 26, 2025
·
Updated

Develocity (formerly Gradle Enterprise) before 2024.1.8 has Incorrect Access Control. Project-level access control configuration was introduced in Enterprise Config schema version 8. Migration functionality from schema version 8 to versions 9 and 10 (in affected vulnerable versions) does not include the projects section of the configuration. This leads to all of the project settings being reset to their defaults when the old schema is loaded. In the case of projects.enabled, the default is false. Thus, using an enterprise config v8 results in Project level access control being disabled, even if it was previously enabled, and previously restricted project information disclosed. Most commonly, this occurs when a Develocity instance is upgraded from an earlier version. Specifically, this occurs if: Develocity 2023.3.X is upgraded to 2023.4.X; Develocity 2023.3.X is upgraded to 2024.1.X up to and including 2024.1.7; or Develocity 2023.4.X is upgraded to 2024.1.X up to and including 2024.1.7. The flaw does not occur when upgrading to a fixed version. An upgrade can only be triggered via administrator access, and cannot be forced by an external attacker.

Affected Software

3 affected components
Gradle Develocity<2024.1.8
Gradle Develocity>=2023.3.0<2024.1.7
Gradle Develocity>=2023.4.0<2024.1

Event History

Jan 26, 2025
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
DescriptionSeverityWeakness
Data Sourced
via NVD·07:15 AM
DescriptionSeverityWeakness
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-46881?

The severity of CVE-2024-46881 is classified as medium due to the incorrect access control configuration.

2

How do I fix CVE-2024-46881?

To fix CVE-2024-46881, upgrade Develocity to version 2024.1.8 or later.

3

Which versions of Develocity are affected by CVE-2024-46881?

CVE-2024-46881 affects Develocity versions before 2024.1.8 and all versions between 2023.3.0 and 2024.1.8.

4

What vulnerability does CVE-2024-46881 address?

CVE-2024-46881 addresses an issue related to incorrect access control in project-level access configurations.

5

Is there any migration functionality related to CVE-2024-46881?

Yes, the migration functionality from schema version 8 to versions 9 and 10 does not properly account for access controls, which is a part of CVE-2024-46881.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203