Tag
Nuclio's Java runtime dashboard API, by default configured with NOP authentication, is vulnerable to remote code execution (CWE-94) where attackers can inject arbitrary Groovy code into the unsanitized `runtimeAttributes.repositories` field, which is directly written into the `build.gradle` file, allowing the injected code to execute during the Gradle configuration phase as root within the build container.