GHSA-vp55-fhxx-vcx8 · Severity: high · Ecosystem: maven — Maven Extension plugin for Gradle Enterprise vulnerable to Deserialization of Untrusted Data
An issue was discovered in the Maven Extension plugin before 1.6 for Gradle Enterprise. The extension uses a socket connection to send serialized Java objects. Deserialization is not restricted to an allow-list, thus allowing an attacker to achieve code execution via a malicious deserialization gadget chain. The socket is not bound exclusively to localhost. The port this socket is assigned to is randomly selected and is not intentionally exposed to the public (either by design or documentation). This could potentially be used to achieve remote code execution and local privilege escalation.
Conclusion & alert: CVE-2020-15777 is rated Moderate Risk (52.5/100): CVSS High severity, with medium exploitation likelihood (EPSS 1.05%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.66% | 1.05% | +0.39% |
| 2 | 2025-12-22 | 0.39% | 0.66% | +0.27% |
| 3 | 2025-03-30 | — | 0.39% | — |
Full EPSS history (11 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.8 | 3.1 | HIGH |
|
1.8 | 5.9 | [email protected] |
| 4.6 | 2.0 | MEDIUM |
|
3.9 | 6.4 | [email protected] |
GHSA-vp55-fhxx-vcx8 · Severity: high · Ecosystem: maven — Maven Extension plugin for Gradle Enterprise vulnerable to Deserialization of Untrusted Data
| URL | Tags |
|---|---|
| https://docs.gradle.com/enterprise/maven-extension/#1_6 | Release Notes Vendor Advisory |
| https://security.gradle.com/advisory/CVE-2020-15777 | Vendor Advisory |