CVE-2021-21361

Description

### Impact The `com.bmuschko:gradle-vagrant-plugin` Gradle plugin contains an information disclosure vulnerability due to the logging of the system environment variables. When this Gradle plugin is executed in public CI/CD, this can lead to sensitive credentials being exposed to malicious actors. ### Patches Fixed in version 3.0.0 ### References - https://github.com/bmuschko/gradle-vagrant-plugin/blob/292129f9343d00d391543fae06239e9b0f33db73/src/main/groovy/com/bmuschko/gradle/vagrant/process/GDKExternalProcessExecutor.groovy#L42-L44 - https://github.com/bmuschko/gradle-vagrant-plugin/issues/19 - https://github.com/bmuschko/gradle-vagrant-plugin/pull/20 ### For more information If you have any questions or comments about this advisory: * Open an issue in [bmuschko/gradle-vagrant-plugin](https://github.com/bmuschko/gradle-vagrant-plugin)

How to fix CVE-2021-21361

To remediate CVE-2021-21361, upgrade the affected package to a fixed version below.

• —upgrade to 3.0.0 or later

Is CVE-2021-21361 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 0.6, < 3.0.0

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-21361
• WEBgithub.com/bmuschko/gradle-vagrant-plugin/blob/292129f9343d00d391543fae06239e9b0f33db73/src/main/groovy/com/bmuschko/gradle/vagrant/process/GDKExternalProcessExecutor.groovy#L42-L44
• WEBgithub.com/bmuschko/gradle-vagrant-plugin/issues/19
• WEB