Develocity Incorrect Access Control Vulnerability Disables Project-Level Access Control on Upgrade
Vulnerability
A vulnerability in Develocity (formerly Gradle Enterprise) prior to version 2024.1.8 allows for incorrect access control management. When upgrading from versions 2023.3.X or 2023.4.X to 2024.1.X (up to and including 2024.1.7), project-level access control settings are reset to default values, disabling access control and disclosing previously restricted project information. This issue arises because the migration functionality from Enterprise Config schema version 8 to versions 9 and 10 does not include the projects section, leading to a loss of customized settings. The vulnerability can only be exploited by administrators during the upgrade process.
Impact
Upgrading to Develocity 2024.1.X (up to and including 2024.1.7) from earlier versions can unintentionally disable project-level access control, reverting settings to defaults and exposing sensitive project information.
Remediation
Users should upgrade to Develocity version 2024.1.8 or later. For new installations, the latest version of Develocity is strongly recommended.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.