CVE-2024-46881

High

Published: 26 January 2025

Published

26 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

EPSS Score 0.0003 9.0th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Develocity (formerly Gradle Enterprise) before 2024.1.8 has Incorrect Access Control. Project-level access control configuration was introduced in Enterprise Config schema version 8. Migration functionality from schema version 8 to versions 9 and 10 (in affected vulnerable versions) does not include the projects section of the configuration. This leads to all of the project settings being reset to their defaults when the old schema is loaded. In the case of projects.enabled, the default is false. Thus, using an enterprise config v8 results in Project level access control being disabled, even if it was previously enabled, and previously restricted project information disclosed. Most commonly, this occurs when a Develocity instance is upgraded from an earlier version. Specifically, this occurs if: Develocity 2023.3.X is upgraded to 2023.4.X; Develocity 2023.3.X is upgraded to 2024.1.X up to and including 2024.1.7; or Develocity 2023.4.X is upgraded to 2024.1.X up to and including 2024.1.7. The flaw does not occur when upgrading to a fixed version. An upgrade can only be triggered via administrator access, and cannot be forced by an external attacker.

Security Summary

CVE-2024-46881 is an Incorrect Access Control vulnerability (CWE-732) in Develocity (formerly Gradle Enterprise) versions before 2024.1.8. The flaw stems from incomplete migration functionality when upgrading Enterprise Config schema from version 8 to versions 9 or 10. During affected upgrades, the projects section of the configuration is omitted, resetting project settings to defaults—including projects.enabled set to false—which disables project-level access control and exposes previously restricted project information.

The vulnerability requires administrator access to trigger an upgrade, as external attackers cannot force it. Specific scenarios include upgrading Develocity 2023.3.X to 2023.4.X, 2023.3.X to 2024.1.X up to 2024.1.7, or 2023.4.X to 2024.1.X up to 2024.1.7. Once triggered, it grants unauthorized access to restricted project data, achieving high confidentiality impact with low privileges (CVSS 7.1: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N).

The Gradle security advisory (https://security.gradle.com/advisory/2024-03) addresses this issue. Mitigation requires upgrading to Develocity 2024.1.8 or later, where migration correctly preserves the projects configuration section, preventing the reset to defaults.

Details

CWE(s): CWE-732

References

https://security.gradle.com/advisory/2024-03
cve@mitre.org