A security vulnerability (CVE-2020-7599) was discovered in the Gradle Plugin Portal's com.gradle.plugin-publish plugin. When builds ran with info or debug log levels, pre-signed AWS S3 URLs used for artifact uploads were captured in build logs. These URLs were valid for 1 hour and could allow an attacker to overwrite plugin artifacts. An audit of 190,000+ artifacts found no malicious overwrites. The fix is to upgrade com.gradle.plugin-publish to version 0.11.0, which reduces the log level for the pre-signed URL. Old versions will no longer work and will be rejected by the Plugin Portal. Best practices around avoiding sensitive data in build logs are also recommended.
Table of contents
Table of ContentsImportant update when publishing plugins to the Plugin Portal #DiscussSort: