CVE-2021-29428: 
Gradle vulnerability analysis and mitigation

In Gradle before version 7.0, on Unix-like systems, the system temporary directory could be created with open permissions that allow multiple users to create and delete files within it. This vulnerability (CVE-2021-29428) was discovered and disclosed in April 2021, affecting Gradle versions prior to 7.0. The vulnerability primarily impacted builds using precompiled script plugins written in Kotlin DSL and tests for Gradle plugins written using ProjectBuilder or TestKit (GitHub Advisory).

The vulnerability stems from insecure temporary file creation practices in the system temporary directory. A race condition in the creation of temporary directories could be exploited, particularly in three scenarios: precompiled script plugins, ProjectBuilder API in tests, and Gradle TestKit in tests. The vulnerability received a CVSS v3.1 base score of 8.8 (HIGH) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating local access requirements but high potential impact (NVD).

If exploited, this vulnerability could lead to local privilege escalation, allowing an attacker to execute commands at the same privilege level as the build. The impact was particularly significant for systems using precompiled script plugins, ProjectBuilder API, or TestKit in tests. Windows users and those on modern versions of macOS were not affected by this vulnerability (GitHub Advisory).

The vulnerability was patched in Gradle 7.0, which removed reliance on system temporary directories where possible and instead uses a combination of the Gradle User Home and project's build directory. For users unable to upgrade, workarounds include ensuring the 'sticky' bit is set on Unix-like systems' temporary directory, or moving the Java temporary directory by setting the System Property java.io.tmpdir to a path with limited permissions (GitHub Advisory, Release Notes).