Miggo Logo

CVE-2021-21361: Sensitive information disclosure via log in com.bmuschko:gradle-vagrant-plugin

7.4

CVSS Score
3.1

Basic Information

EPSS Score
0.31657%
Published
3/9/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.bmuschko:gradle-vagrant-pluginmaven>= 0.6, < 3.0.03.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems directly from the printCommandLineArgs method logging environment variables. The patch (ef9b8bf/d14d2bb) explicitly removes the envp parameter and environment variable logging from this method. As this was the only location where environment variables were logged, and the CVE description specifically references this logging as the vulnerability source, this function is the definitive runtime indicator. The method would appear in profilers when Vagrant commands are executed with environment variables, before the logging was removed in version 3.0.0.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** `*om.*mus**ko:*r**l*-v**r*nt-plu*in` *r**l* plu*in *ont*ins *n in*orm*tion *is*losur* vuln*r**ility *u* to t** lo**in* o* t** syst*m *nvironm*nt v*ri**l*s. W**n t*is *r**l* plu*in is *x**ut** in pu*li* *I/**, t*is **n l*** to s*nsiti

Reasoning

T** vuln*r**ility st*ms *ir**tly *rom t** `print*omm*n*Lin**r*s` m*t*o* lo**in* *nvironm*nt v*ri**l*s. T** p*t** (*******/*******) *xpli*itly r*mov*s t** *nvp p*r*m*t*r *n* *nvironm*nt v*ri**l* lo**in* *rom t*is m*t*o*. *s t*is w*s t** only lo**tion