CVE-2021-21361

描述

### Impact The `com.bmuschko:gradle-vagrant-plugin` Gradle plugin contains an information disclosure vulnerability due to the logging of the system environment variables. When this Gradle plugin is executed in public CI/CD, this can lead to sensitive credentials being exposed to malicious actors. ### Patches Fixed in version 3.0.0 ### References - https://github.com/bmuschko/gradle-vagrant-plugin/blob/292129f9343d00d391543fae06239e9b0f33db73/src/main/groovy/com/bmuschko/gradle/vagrant/process/GDKExternalProcessExecutor.groovy#L42-L44 - https://github.com/bmuschko/gradle-vagrant-plugin/issues/19 - https://github.com/bmuschko/gradle-vagrant-plugin/pull/20 ### For more information If you have any questions or comments about this advisory: * Open an issue in [bmuschko/gradle-vagrant-plugin](https://github.com/bmuschko/gradle-vagrant-plugin)

如何修補 CVE-2021-21361

要修補 CVE-2021-21361,請將受影響套件升級到下列已修補版本。

• —升級至 3.0.0 或更新版本

CVE-2021-21361 正在被利用嗎?

低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• >= 0.6, < 3.0.0

CVSS 分數

參考連結(5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-21361
• WEBgithub.com/bmuschko/gradle-vagrant-plugin/blob/292129f9343d00d391543fae06239e9b0f33db73/src/main/groovy/com/bmuschko/gradle/vagrant/process/GDKExternalProcessExecutor.groovy#L42-L44
• WEBgithub.com/bmuschko/gradle-vagrant-plugin/issues/19
• WEB