Wiz
Vulnerability DatabaseCVE-2020-7599

CVE-2020-7599
Java vulnerability analysis and mitigation

Overview

All versions of com.gradle.plugin-publish before 0.11.0 are vulnerable to Insertion of Sensitive Information into Log File (CVE-2020-7599). The vulnerability was discovered on March 4, 2020, by Danny Thomas from Netflix and was publicly disclosed on March 27, 2020. When a plugin author publishes a Gradle plugin using this package while running Gradle with elevated log levels (--info or --debug), sensitive pre-signed AWS URLs are exposed in the log files (Gradle Blog, Snyk Blog).

Technical details

The vulnerability occurs when the plugin receives a pre-signed AWS S3 URL for uploading artifacts to the Plugin Portal. This URL, valid for one hour, is logged at the info or debug log level. While the default log level (LIFECYCLE) does not expose this information, running builds with elevated logging levels (--info or --debug) captures these sensitive URLs in build logs (Gradle Blog).

Impact

If build logs are publicly visible, as is common in many public CI systems, attackers could use the exposed pre-signed URLs to replace recently uploaded plugins with malicious versions within the one-hour validity window. This could potentially enable large-scale supply chain attacks through compromised plugins (Snyk Blog).

Mitigation and workarounds

The issue has been patched in version 0.11.0 of the com.gradle.plugin-publish plugin, which reduces the log level of the pre-signed URL. Users are strongly advised to upgrade to this version, as previous versions no longer work with the Plugin Portal. Additionally, it is recommended to avoid running builds handling sensitive information with elevated log levels and to keep build logs private (Gradle Blog).

Community reactions

In response to the vulnerability, Gradle conducted a thorough investigation of all artifacts (over 190,000) in the Plugin Portal. They also worked with major cloud CI providers, including GitHub and CircleCI IR Teams, to identify potentially exposed pre-signed URLs in build logs. The vulnerability prompted Gradle to implement changes to detect overwritten artifacts and enhance security around the Gradle plugin ecosystem (Gradle Blog).

Additional resources

SourceThis report was generated using AI

Related Java vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-65091CRITICAL10
  • JavaJava
  • org.xwiki.contrib:macro-fullcalendar-pom
NoYesJan 10, 2026
CVE-2025-70974CRITICAL10
  • JavaJava
  • com.alibaba:fastjson
NoYesJan 09, 2026
CVE-2026-22244HIGH8.5
  • JavaJava
  • org.open-metadata:platform
NoYesJan 08, 2026
CVE-2025-65090MEDIUM5.3
  • JavaJava
  • org.xwiki.contrib:macro-fullcalendar-pom
NoYesJan 10, 2026
CVE-2026-0707MEDIUM5.3
  • JavaJava
  • org.keycloak:keycloak-parent
NoNoJan 08, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo