CVE-2021-41619
7.2 HIGHAn issue was discovered in Gradle Enterprise before 2021.1.2
Published: 2021-10-27 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 7.2 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-94
Affected products
| Vendor | Product |
|---|---|
| gradle | enterprise |
Description
An issue was discovered in Gradle Enterprise before 2021.1.2. There is potential remote code execution via the application startup configuration. The installation configuration user interface (available to administrators) allows specifying arbitrary Java Virtual Machine startup options. Some of these options, such as -XX:OnOutOfMemoryError, allow specifying a command to be run on the host. This can be abused to run arbitrary commands on the host, should an attacker gain administrative access to the application.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-41619
- [Vendor advisory]https://security.gradle.com
- [Vendor advisory]https://security.gradle.com/advisory/2021-08
- [Vendor advisory]https://security.gradle.com
- [Vendor advisory]https://security.gradle.com/advisory/2021-08
Related CVEs
Same vendor
- CVE-2021-41590 — In Gradle Enterprise through 2021.3, probing of the server-side network environment can occur via an SMTP configuration test (5.3 MEDIUM)
- CVE-2021-41589 — In Gradle Enterprise before 2021.3 (and Enterprise Build Cache Node before 10.0), there is potential cache poisoning and remote code exec... (9.8 CRITICAL)
- CVE-2021-41588 — In Gradle Enterprise before 2021.1.3, a crafted request can trigger deserialization of arbitrary unsafe Java objects (8.1 HIGH)
- CVE-2021-41587 — In Gradle Enterprise before 2021.1.3, an attacker with the ability to perform SSRF attacks can potentially discover credentials for other... (7.5 HIGH)
- CVE-2021-41586 — In Gradle Enterprise before 2021.1.3, an attacker with the ability to perform SSRF attacks can potentially reset the system user password (7.5 HIGH)
Same CWE
- CVE-2026-24155 — NVIDIA NeMo Framework for all platforms contains a code injection vulnerability (7.8 HIGH)
- CVE-2026-49774 — Improper Control of Generation of Code ('Code Injection') vulnerability in Filipe Nasc RD Station allows Remote Code Inclusion (9.9 CRITICAL)
- CVE-2026-48017 — DbGate is cross-platform database manager (8.8 HIGH)
- CVE-2026-48836 — Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2.1.19 versions (10.0 CRITICAL)
- CVE-2026-48124 — Cursor is a code editor built for programming with AI