CVE-2021-32751

Gradle is a build tool with a focus on build automation. In versions prior to
7.2, start scripts generated by the `application` plugin and the `gradlew`
script are both vulnerable to arbitrary code execution when an attacker is able
to change environment variables for the user running the script. This may impact
those who use `gradlew` on Unix-like systems or use the scripts generated by
Gradle in thieir application on Unix-like systems. For this vulnerability to be
exploitable, an attacker needs to be able to set the value of particular
environment variables and have those environment variables be seen by the
vulnerable scripts. This issue has been patched in Gradle 7.2 by removing the
use of `eval` and requiring the use of the `bash` shell.

There are a few workarounds available. For CI/CD systems using the Gradle build
tool, one may ensure that untrusted users are unable to change environment
variables for the user that executes `gradlew`. If one is unable to upgrade to
Gradle 7.2, one may generate a new `gradlew` script with Gradle 7.2 and use it
for older versions of Gradle.  Fpplications using start scripts generated by
Gradle, one may ensure that untrusted users are unable to change environment
variables for the user that executes the start script. A vulnerable start script
could be manually patched to remove the use of `eval` or the use of environment
variables that affect the application's command-line. If the application is
simple enough, one may be able to avoid the use of the start scripts by running
the application directly with Java command.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-32751
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32751
https://github.com/gradle/gradle/security/advisories/GHSA-6j2p-252f-7mw8
https://mywiki.wooledge.org/BashFAQ/048
https://medium.com/dot-debug/the-perils-of-bash-eval-cc5f9e309cae