Search criteria
14 vulnerabilities found for gradle by gradle
CVE-2026-22865 (GCVE-0-2026-22865)
Vulnerability from cvelistv5 – Published: 2026-01-16 22:46 – Updated: 2026-01-20 14:47
VLAI?
Title
Gradle's failure to disable repositories failing to answer can expose builds to malicious artifacts
Summary
Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered one of these exceptions, Gradle would continue to the next repository in the list and potentially resolve dependencies from a different repository. An exception like NoHttpResponseException can indicate transient errors. If the errors persist after a maximum number of retries, Gradle would continue to the next repository. This behavior could allow an attacker to disrupt the service of a repository and leverage another repository to serve malicious artifacts. This attack requires the attacker to have control over a repository after the disrupted repository. Gradle has introduced a change in behavior in Gradle 9.3.0 to stop searching other repositories when encountering these errors.
Severity ?
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22865",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T14:47:11.391813Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T14:47:41.205Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gradle",
"vendor": "gradle",
"versions": [
{
"status": "affected",
"version": "\u003c 9.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered one of these exceptions, Gradle would continue to the next repository in the list and potentially resolve dependencies from a different repository. An exception like NoHttpResponseException can indicate transient errors. If the errors persist after a maximum number of retries, Gradle would continue to the next repository. This behavior could allow an attacker to disrupt the service of a repository and leverage another repository to serve malicious artifacts. This attack requires the attacker to have control over a repository after the disrupted repository. Gradle has introduced a change in behavior in Gradle 9.3.0 to stop searching other repositories when encountering these errors."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-494",
"description": "CWE-494: Download of Code Without Integrity Check",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-829",
"description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-16T22:46:19.741Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gradle/gradle/security/advisories/GHSA-mqwm-5m85-gmcv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gradle/gradle/security/advisories/GHSA-mqwm-5m85-gmcv"
}
],
"source": {
"advisory": "GHSA-mqwm-5m85-gmcv",
"discovery": "UNKNOWN"
},
"title": "Gradle\u0027s failure to disable repositories failing to answer can expose builds to malicious artifacts"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22865",
"datePublished": "2026-01-16T22:46:19.741Z",
"dateReserved": "2026-01-12T16:20:16.746Z",
"dateUpdated": "2026-01-20T14:47:41.205Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22816 (GCVE-0-2026-22816)
Vulnerability from cvelistv5 – Published: 2026-01-16 22:45 – Updated: 2026-01-20 14:49
VLAI?
Title
Gradle fails to disable repositories which can expose builds to malicious artifacts
Summary
Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered one of these exceptions, Gradle would continue to the next repository in the list and potentially resolve dependencies from a different repository. If a Gradle build used an unresolvable host name, Gradle would continue to work as long as all dependencies could be resolved from another repository. An unresolvable host name could be caused by allowing a repository's domain name registration to lapse or typo-ing the real domain name. This behavior could allow an attacker to register a service under the host name used by the build and serve malicious artifacts. The attack requires the repository to be listed before others in the build configuration. Gradle has introduced a change in behavior in Gradle 9.3.0 to stop searching other repositories when encountering these errors.
Severity ?
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22816",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T14:49:03.938522Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T14:49:32.077Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gradle",
"vendor": "gradle",
"versions": [
{
"status": "affected",
"version": "\u003c 9.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered one of these exceptions, Gradle would continue to the next repository in the list and potentially resolve dependencies from a different repository. If a Gradle build used an unresolvable host name, Gradle would continue to work as long as all dependencies could be resolved from another repository. An unresolvable host name could be caused by allowing a repository\u0027s domain name registration to lapse or typo-ing the real domain name. This behavior could allow an attacker to register a service under the host name used by the build and serve malicious artifacts. The attack requires the repository to be listed before others in the build configuration. Gradle has introduced a change in behavior in Gradle 9.3.0 to stop searching other repositories when encountering these errors."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-829",
"description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-494",
"description": "CWE-494: Download of Code Without Integrity Check",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-16T22:45:48.937Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gradle/gradle/security/advisories/GHSA-w78c-w6vf-rw82",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gradle/gradle/security/advisories/GHSA-w78c-w6vf-rw82"
},
{
"name": "https://github.com/gradle/gradle/commit/e5707d0d8fce3d768c9c489004700d78eab1773a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gradle/gradle/commit/e5707d0d8fce3d768c9c489004700d78eab1773a"
}
],
"source": {
"advisory": "GHSA-w78c-w6vf-rw82",
"discovery": "UNKNOWN"
},
"title": "Gradle fails to disable repositories which can expose builds to malicious artifacts"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22816",
"datePublished": "2026-01-16T22:45:48.937Z",
"dateReserved": "2026-01-09T22:50:10.289Z",
"dateUpdated": "2026-01-20T14:49:32.077Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-27148 (GCVE-0-2025-27148)
Vulnerability from cvelistv5 – Published: 2025-02-25 20:13 – Updated: 2025-02-25 21:20
VLAI?
Title
Gradle vulnerable to local privilege escalation through system temporary directory
Summary
Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. On Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. This library initialization could be vulnerable to a local privilege escalation from an attacker quickly deleting and recreating files in the system temporary directory. Gradle builds that rely on versions of net.rubygrapefruit:native-platform prior to 0.22-milestone-28 could be vulnerable to a local privilege escalation from an attacker quickly deleting and recreating files in the system temporary directory.
In net.rubygrapefruit:native-platform prior to version 0.22-milestone-28, if the `Native.get(Class<>)` method was called, without calling `Native.init(File)` first, with a non-`null` argument used as working file path, then the library would initialize itself using the system temporary directory and NativeLibraryLocator.java lines 68 through 78. Version 0.22-milestone-28 has been released with changes that fix the problem. Initialization is now mandatory and no longer uses the system temporary directory, unless such a path is passed for initialization. The only workaround for affected versions is to make sure to do a proper initialization, using a location that is safe.
Gradle 8.12, only that exact version, had codepaths where the initialization of the underlying native integration library took a default path, relying on copying the binaries to the system temporary directory. Any execution of Gradle exposed this exploit. Users of Windows or modern versions of macOS are not vulnerable, nor are users of a Unix-like operating system with the "sticky" bit set or `noexec` on their system temporary directory vulnerable. This problem was fixed in Gradle 8.12.1. Gradle 8.13 release also upgrades to a version of the native library that no longer has that bug. Some workarounds are available. On Unix-like operating systems, ensure that the "sticky" bit is set. This only allows the original user (or root) to delete a file. Mounting `/tmp` as `noexec` will prevent Gradle 8.12 from starting. Those who are are unable to change the permissions of the system temporary directory can move the Java temporary directory by setting the System Property java.io.tmpdir. The new path needs to limit permissions to the build user only.
Severity ?
8.8 (High)
CWE
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27148",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-25T21:14:39.385419Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-25T21:20:46.507Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gradle",
"vendor": "gradle",
"versions": [
{
"status": "affected",
"version": "= 8.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. On Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. This library initialization could be vulnerable to a local privilege escalation from an attacker quickly deleting and recreating files in the system temporary directory. Gradle builds that rely on versions of net.rubygrapefruit:native-platform prior to 0.22-milestone-28 could be vulnerable to a local privilege escalation from an attacker quickly deleting and recreating files in the system temporary directory.\n\nIn net.rubygrapefruit:native-platform prior to version 0.22-milestone-28, if the `Native.get(Class\u003c\u003e)` method was called, without calling `Native.init(File)` first, with a non-`null` argument used as working file path, then the library would initialize itself using the system temporary directory and NativeLibraryLocator.java lines 68 through 78. Version 0.22-milestone-28 has been released with changes that fix the problem. Initialization is now mandatory and no longer uses the system temporary directory, unless such a path is passed for initialization. The only workaround for affected versions is to make sure to do a proper initialization, using a location that is safe.\n\nGradle 8.12, only that exact version, had codepaths where the initialization of the underlying native integration library took a default path, relying on copying the binaries to the system temporary directory. Any execution of Gradle exposed this exploit. Users of Windows or modern versions of macOS are not vulnerable, nor are users of a Unix-like operating system with the \"sticky\" bit set or `noexec` on their system temporary directory vulnerable. This problem was fixed in Gradle 8.12.1. Gradle 8.13 release also upgrades to a version of the native library that no longer has that bug. Some workarounds are available. On Unix-like operating systems, ensure that the \"sticky\" bit is set. This only allows the original user (or root) to delete a file. Mounting `/tmp` as `noexec` will prevent Gradle 8.12 from starting. Those who are are unable to change the permissions of the system temporary directory can move the Java temporary directory by setting the System Property java.io.tmpdir. The new path needs to limit permissions to the build user only."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-378",
"description": "CWE-378: Creation of Temporary File With Insecure Permissions",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-379",
"description": "CWE-379: Creation of Temporary File in Directory with Insecure Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-25T20:13:51.578Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gradle/gradle/security/advisories/GHSA-465q-w4mf-4f4r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gradle/gradle/security/advisories/GHSA-465q-w4mf-4f4r"
},
{
"name": "https://github.com/gradle/gradle/security/advisories/GHSA-89qm-pxvm-p336",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gradle/gradle/security/advisories/GHSA-89qm-pxvm-p336"
},
{
"name": "https://github.com/gradle/native-platform/security/advisories/GHSA-2xxp-vw2f-p3x8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gradle/native-platform/security/advisories/GHSA-2xxp-vw2f-p3x8"
},
{
"name": "https://github.com/gradle/gradle/pull/32025",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gradle/gradle/pull/32025"
},
{
"name": "https://github.com/gradle/native-platform/pull/353",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gradle/native-platform/pull/353"
},
{
"name": "https://en.wikipedia.org/wiki/Fstab#Options_common_to_all_filesystems",
"tags": [
"x_refsource_MISC"
],
"url": "https://en.wikipedia.org/wiki/Fstab#Options_common_to_all_filesystems"
},
{
"name": "https://en.wikipedia.org/wiki/Sticky_bit",
"tags": [
"x_refsource_MISC"
],
"url": "https://en.wikipedia.org/wiki/Sticky_bit"
},
{
"name": "https://github.com/gradle/native-platform/blob/574dfe8d9fb546c990436468d617ab81c140871d/native-platform/src/main/java/net/rubygrapefruit/platform/internal/NativeLibraryLocator.java#L68-L78",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gradle/native-platform/blob/574dfe8d9fb546c990436468d617ab81c140871d/native-platform/src/main/java/net/rubygrapefruit/platform/internal/NativeLibraryLocator.java#L68-L78"
}
],
"source": {
"advisory": "GHSA-465q-w4mf-4f4r",
"discovery": "UNKNOWN"
},
"title": "Gradle vulnerable to local privilege escalation through system temporary directory"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27148",
"datePublished": "2025-02-25T20:13:51.578Z",
"dateReserved": "2025-02-19T16:30:47.778Z",
"dateUpdated": "2025-02-25T21:20:46.507Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-42445 (GCVE-0-2023-42445)
Vulnerability from cvelistv5 – Published: 2023-10-06 13:52 – Updated: 2025-06-16 17:08
VLAI?
Title
Possible local file exfiltration by XML External entity injection
Summary
Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, when Gradle parses XML files, resolving XML external entities is not disabled. Combined with an Out Of Band XXE attack (OOB-XXE), just parsing XML can lead to exfiltration of local text files to a remote server. Gradle parses XML files for several purposes. Most of the time, Gradle parses XML files it generated or were already present locally. Only Ivy XML descriptors and Maven POM files can be fetched from remote repositories and parsed by Gradle. In Gradle 7.6.3 and 8.4, resolving XML external entities has been disabled for all use cases to protect against this vulnerability. Gradle will now refuse to parse XML files that have XML external entities.
Severity ?
6.8 (Medium)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:23:38.775Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/gradle/gradle/security/advisories/GHSA-mrff-q8qj-xvg8",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gradle/gradle/security/advisories/GHSA-mrff-q8qj-xvg8"
},
{
"name": "https://github.com/gradle/gradle/releases/tag/v7.6.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gradle/gradle/releases/tag/v7.6.3"
},
{
"name": "https://github.com/gradle/gradle/releases/tag/v8.4.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gradle/gradle/releases/tag/v8.4.0"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20231110-0006/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-42445",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-19T18:40:52.777135Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-16T17:08:05.678Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gradle",
"vendor": "gradle",
"versions": [
{
"status": "affected",
"version": "\u003c 8.4"
},
{
"status": "affected",
"version": "\u003c 7.6.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, when Gradle parses XML files, resolving XML external entities is not disabled. Combined with an Out Of Band XXE attack (OOB-XXE), just parsing XML can lead to exfiltration of local text files to a remote server. Gradle parses XML files for several purposes. Most of the time, Gradle parses XML files it generated or were already present locally. Only Ivy XML descriptors and Maven POM files can be fetched from remote repositories and parsed by Gradle. In Gradle 7.6.3 and 8.4, resolving XML external entities has been disabled for all use cases to protect against this vulnerability. Gradle will now refuse to parse XML files that have XML external entities."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-10T18:06:29.614Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gradle/gradle/security/advisories/GHSA-mrff-q8qj-xvg8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gradle/gradle/security/advisories/GHSA-mrff-q8qj-xvg8"
},
{
"name": "https://github.com/gradle/gradle/releases/tag/v7.6.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gradle/gradle/releases/tag/v7.6.3"
},
{
"name": "https://github.com/gradle/gradle/releases/tag/v8.4.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gradle/gradle/releases/tag/v8.4.0"
},
{
"url": "https://security.netapp.com/advisory/ntap-20231110-0006/"
}
],
"source": {
"advisory": "GHSA-mrff-q8qj-xvg8",
"discovery": "UNKNOWN"
},
"title": "Possible local file exfiltration by XML External entity injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-42445",
"datePublished": "2023-10-06T13:52:02.982Z",
"dateReserved": "2023-09-08T20:57:45.572Z",
"dateUpdated": "2025-06-16T17:08:05.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-44387 (GCVE-0-2023-44387)
Vulnerability from cvelistv5 – Published: 2023-10-05 17:51 – Updated: 2025-02-13 17:13
VLAI?
Title
Gradle has incorrect permission assignment for symlinked files used in copy or archiving operations
Summary
Gradle is a build tool with a focus on build automation and support for multi-language development. When copying or archiving symlinked files, Gradle resolves them but applies the permissions of the symlink itself instead of the permissions of the linked file to the resulting file. This leads to files having too much permissions given that symlinks usually are world readable and writeable. While it is unlikely this results in a direct vulnerability for the impacted build, it may open up attack vectors depending on where build artifacts end up being copied to or un-archived. In versions 7.6.3, 8.4 and above, Gradle will now properly use the permissions of the file pointed at by the symlink to set permissions of the copied or archived file.
Severity ?
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:07:32.921Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/gradle/gradle/security/advisories/GHSA-43r3-pqhv-f7h9",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gradle/gradle/security/advisories/GHSA-43r3-pqhv-f7h9"
},
{
"name": "https://github.com/gradle/gradle/commit/3b406191e24d69e7e42dc3f3b5cc50625aa930b7",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gradle/gradle/commit/3b406191e24d69e7e42dc3f3b5cc50625aa930b7"
},
{
"name": "https://github.com/gradle/gradle/releases/tag/v7.6.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gradle/gradle/releases/tag/v7.6.3"
},
{
"name": "https://github.com/gradle/gradle/releases/tag/v8.4.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gradle/gradle/releases/tag/v8.4.0"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20231110-0006/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "gradle",
"vendor": "gradle",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.6.0, \u003c 7.6.3"
},
{
"status": "affected",
"version": "\u003c 8.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gradle is a build tool with a focus on build automation and support for multi-language development. When copying or archiving symlinked files, Gradle resolves them but applies the permissions of the symlink itself instead of the permissions of the linked file to the resulting file. This leads to files having too much permissions given that symlinks usually are world readable and writeable. While it is unlikely this results in a direct vulnerability for the impacted build, it may open up attack vectors depending on where build artifacts end up being copied to or un-archived. In versions 7.6.3, 8.4 and above, Gradle will now properly use the permissions of the file pointed at by the symlink to set permissions of the copied or archived file."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.2,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732: Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-10T18:06:31.367Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gradle/gradle/security/advisories/GHSA-43r3-pqhv-f7h9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gradle/gradle/security/advisories/GHSA-43r3-pqhv-f7h9"
},
{
"name": "https://github.com/gradle/gradle/commit/3b406191e24d69e7e42dc3f3b5cc50625aa930b7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gradle/gradle/commit/3b406191e24d69e7e42dc3f3b5cc50625aa930b7"
},
{
"name": "https://github.com/gradle/gradle/releases/tag/v7.6.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gradle/gradle/releases/tag/v7.6.3"
},
{
"name": "https://github.com/gradle/gradle/releases/tag/v8.4.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gradle/gradle/releases/tag/v8.4.0"
},
{
"url": "https://security.netapp.com/advisory/ntap-20231110-0006/"
}
],
"source": {
"advisory": "GHSA-43r3-pqhv-f7h9",
"discovery": "UNKNOWN"
},
"title": "Gradle has incorrect permission assignment for symlinked files used in copy or archiving operations"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-44387",
"datePublished": "2023-10-05T17:51:15.407Z",
"dateReserved": "2023-09-28T17:56:32.613Z",
"dateUpdated": "2025-02-13T17:13:40.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-35946 (GCVE-0-2023-35946)
Vulnerability from cvelistv5 – Published: 2023-06-30 20:21 – Updated: 2025-02-13 16:55
VLAI?
Title
Dependency cache path traversal in Gradle
Summary
Gradle is a build tool with a focus on build automation and support for multi-language development. When Gradle writes a dependency into its dependency cache, it uses the dependency's coordinates to compute a file location. With specially crafted dependency coordinates, Gradle can be made to write files into an unintended location. The file may be written outside the dependency cache or over another file in the dependency cache. This vulnerability could be used to poison the dependency cache or overwrite important files elsewhere on the filesystem where the Gradle process has write permissions. Exploiting this vulnerability requires an attacker to have control over a dependency repository used by the Gradle build or have the ability to modify the build's configuration. It is unlikely that this would go unnoticed. A fix has been released in Gradle 7.6.2 and 8.2 to protect against this vulnerability. Gradle will refuse to cache dependencies that have path traversal elements in their dependency coordinates. It is recommended that users upgrade to a patched version. If you are unable to upgrade to Gradle 7.6.2 or 8.2, `dependency verification` will make this vulnerability more difficult to exploit.
Severity ?
6.9 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:37:41.227Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/gradle/gradle/security/advisories/GHSA-2h6c-rv6q-494v",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gradle/gradle/security/advisories/GHSA-2h6c-rv6q-494v"
},
{
"name": "https://github.com/gradle/gradle/commit/859eae2b2acf751ae7db3c9ffefe275aa5da0d5d",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gradle/gradle/commit/859eae2b2acf751ae7db3c9ffefe275aa5da0d5d"
},
{
"name": "https://github.com/gradle/gradle/commit/b07e528feb3a5ffa66bdcc358549edd73e4c8a12",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gradle/gradle/commit/b07e528feb3a5ffa66bdcc358549edd73e4c8a12"
},
{
"name": "https://docs.gradle.org/current/userguide/dependency_verification.html",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.gradle.org/current/userguide/dependency_verification.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230731-0003/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "gradle",
"vendor": "gradle",
"versions": [
{
"status": "affected",
"version": "\u003c 7.6.2"
},
{
"status": "affected",
"version": "\u003e= 8.0, \u003c 8.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gradle is a build tool with a focus on build automation and support for multi-language development. When Gradle writes a dependency into its dependency cache, it uses the dependency\u0027s coordinates to compute a file location. With specially crafted dependency coordinates, Gradle can be made to write files into an unintended location. The file may be written outside the dependency cache or over another file in the dependency cache. This vulnerability could be used to poison the dependency cache or overwrite important files elsewhere on the filesystem where the Gradle process has write permissions. Exploiting this vulnerability requires an attacker to have control over a dependency repository used by the Gradle build or have the ability to modify the build\u0027s configuration. It is unlikely that this would go unnoticed. A fix has been released in Gradle 7.6.2 and 8.2 to protect against this vulnerability. Gradle will refuse to cache dependencies that have path traversal elements in their dependency coordinates. It is recommended that users upgrade to a patched version. If you are unable to upgrade to Gradle 7.6.2 or 8.2, `dependency verification` will make this vulnerability more difficult to exploit."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-31T18:06:14.675Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gradle/gradle/security/advisories/GHSA-2h6c-rv6q-494v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gradle/gradle/security/advisories/GHSA-2h6c-rv6q-494v"
},
{
"name": "https://github.com/gradle/gradle/commit/859eae2b2acf751ae7db3c9ffefe275aa5da0d5d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gradle/gradle/commit/859eae2b2acf751ae7db3c9ffefe275aa5da0d5d"
},
{
"name": "https://github.com/gradle/gradle/commit/b07e528feb3a5ffa66bdcc358549edd73e4c8a12",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gradle/gradle/commit/b07e528feb3a5ffa66bdcc358549edd73e4c8a12"
},
{
"name": "https://docs.gradle.org/current/userguide/dependency_verification.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.gradle.org/current/userguide/dependency_verification.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230731-0003/"
}
],
"source": {
"advisory": "GHSA-2h6c-rv6q-494v",
"discovery": "UNKNOWN"
},
"title": "Dependency cache path traversal in Gradle"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-35946",
"datePublished": "2023-06-30T20:21:17.219Z",
"dateReserved": "2023-06-20T14:02:45.598Z",
"dateUpdated": "2025-02-13T16:55:57.371Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-35947 (GCVE-0-2023-35947)
Vulnerability from cvelistv5 – Published: 2023-06-30 20:18 – Updated: 2025-02-13 16:55
VLAI?
Title
Path traversal vulnerabilities in handling of Tar archives in Gradle
Summary
Gradle is a build tool with a focus on build automation and support for multi-language development. In affected versions when unpacking Tar archives, Gradle did not check that files could be written outside of the unpack location. This could lead to important files being overwritten anywhere the Gradle process has write permissions. For a build reading Tar entries from a Tar archive, this issue could allow Gradle to disclose information from sensitive files through an arbitrary file read. To exploit this behavior, an attacker needs to either control the source of an archive already used by the build or modify the build to interact with a malicious archive. It is unlikely that this would go unnoticed. A fix has been released in Gradle 7.6.2 and 8.2 to protect against this vulnerability. Starting from these versions, Gradle will refuse to handle Tar archives which contain path traversal elements in a Tar entry name. Users are advised to upgrade. There are no known workarounds for this vulnerability.
### Impact
This is a path traversal vulnerability when Gradle deals with Tar archives, often referenced as TarSlip, a variant of ZipSlip.
* When unpacking Tar archives, Gradle did not check that files could be written outside of the unpack location. This could lead to important files being overwritten anywhere the Gradle process has write permissions.
* For a build reading Tar entries from a Tar archive, this issue could allow Gradle to disclose information from sensitive files through an arbitrary file read.
To exploit this behavior, an attacker needs to either control the source of an archive already used by the build or modify the build to interact with a malicious archive. It is unlikely that this would go unnoticed.
Gradle uses Tar archives for its [Build Cache](https://docs.gradle.org/current/userguide/build_cache.html). These archives are safe when created by Gradle. But if an attacker had control of a remote build cache server, they could inject malicious build cache entries that leverage this vulnerability. This attack vector could also be exploited if a man-in-the-middle can be performed between the remote cache and the build.
### Patches
A fix has been released in Gradle 7.6.2 and 8.2 to protect against this vulnerability. Starting from these versions, Gradle will refuse to handle Tar archives which contain path traversal elements in a Tar entry name.
It is recommended that users upgrade to a patched version.
### Workarounds
There is no workaround.
* If your build deals with Tar archives that you do not fully trust, you need to inspect them to confirm they do not attempt to leverage this vulnerability.
* If you use the Gradle remote build cache, make sure only trusted parties have write access to it and that connections to the remote cache are properly secured.
### References
* [CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')](https://cwe.mitre.org/data/definitions/22.html)
* [Gradle Build Cache](https://docs.gradle.org/current/userguide/build_cache.html)
* [ZipSlip](https://security.snyk.io/research/zip-slip-vulnerability)
Severity ?
6.9 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:37:41.395Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/gradle/gradle/security/advisories/GHSA-84mw-qh6q-v842",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gradle/gradle/security/advisories/GHSA-84mw-qh6q-v842"
},
{
"name": "https://github.com/gradle/gradle/commit/1096b309520a8c315e3b6109a6526de4eabcb879",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gradle/gradle/commit/1096b309520a8c315e3b6109a6526de4eabcb879"
},
{
"name": "https://github.com/gradle/gradle/commit/2e5c34d57d0c0b7f0e8b039a192b91e5c8249d91",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gradle/gradle/commit/2e5c34d57d0c0b7f0e8b039a192b91e5c8249d91"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230803-0007/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "gradle",
"vendor": "gradle",
"versions": [
{
"status": "affected",
"version": "\u003c 7.6.1"
},
{
"status": "affected",
"version": "\u003e= 8.0, \u003c 8.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gradle is a build tool with a focus on build automation and support for multi-language development. In affected versions when unpacking Tar archives, Gradle did not check that files could be written outside of the unpack location. This could lead to important files being overwritten anywhere the Gradle process has write permissions. For a build reading Tar entries from a Tar archive, this issue could allow Gradle to disclose information from sensitive files through an arbitrary file read. To exploit this behavior, an attacker needs to either control the source of an archive already used by the build or modify the build to interact with a malicious archive. It is unlikely that this would go unnoticed. A fix has been released in Gradle 7.6.2 and 8.2 to protect against this vulnerability. Starting from these versions, Gradle will refuse to handle Tar archives which contain path traversal elements in a Tar entry name. Users are advised to upgrade. There are no known workarounds for this vulnerability.\n\n\n\n### Impact\n\nThis is a path traversal vulnerability when Gradle deals with Tar archives, often referenced as TarSlip, a variant of ZipSlip.\n\n* When unpacking Tar archives, Gradle did not check that files could be written outside of the unpack location. This could lead to important files being overwritten anywhere the Gradle process has write permissions.\n* For a build reading Tar entries from a Tar archive, this issue could allow Gradle to disclose information from sensitive files through an arbitrary file read.\n\nTo exploit this behavior, an attacker needs to either control the source of an archive already used by the build or modify the build to interact with a malicious archive. It is unlikely that this would go unnoticed.\n\nGradle uses Tar archives for its [Build Cache](https://docs.gradle.org/current/userguide/build_cache.html). These archives are safe when created by Gradle. But if an attacker had control of a remote build cache server, they could inject malicious build cache entries that leverage this vulnerability. This attack vector could also be exploited if a man-in-the-middle can be performed between the remote cache and the build.\n\n### Patches\n\nA fix has been released in Gradle 7.6.2 and 8.2 to protect against this vulnerability. Starting from these versions, Gradle will refuse to handle Tar archives which contain path traversal elements in a Tar entry name.\n\nIt is recommended that users upgrade to a patched version.\n\n### Workarounds\n\nThere is no workaround.\n\n* If your build deals with Tar archives that you do not fully trust, you need to inspect them to confirm they do not attempt to leverage this vulnerability.\n* If you use the Gradle remote build cache, make sure only trusted parties have write access to it and that connections to the remote cache are properly secured.\n\n### References\n\n* [CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)](https://cwe.mitre.org/data/definitions/22.html)\n* [Gradle Build Cache](https://docs.gradle.org/current/userguide/build_cache.html)\n* [ZipSlip](https://security.snyk.io/research/zip-slip-vulnerability)"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-03T14:06:25.421Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gradle/gradle/security/advisories/GHSA-84mw-qh6q-v842",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gradle/gradle/security/advisories/GHSA-84mw-qh6q-v842"
},
{
"name": "https://github.com/gradle/gradle/commit/1096b309520a8c315e3b6109a6526de4eabcb879",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gradle/gradle/commit/1096b309520a8c315e3b6109a6526de4eabcb879"
},
{
"name": "https://github.com/gradle/gradle/commit/2e5c34d57d0c0b7f0e8b039a192b91e5c8249d91",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gradle/gradle/commit/2e5c34d57d0c0b7f0e8b039a192b91e5c8249d91"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230803-0007/"
}
],
"source": {
"advisory": "GHSA-84mw-qh6q-v842",
"discovery": "UNKNOWN"
},
"title": "Path traversal vulnerabilities in handling of Tar archives in Gradle"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-35947",
"datePublished": "2023-06-30T20:18:06.263Z",
"dateReserved": "2023-06-20T14:02:45.598Z",
"dateUpdated": "2025-02-13T16:55:57.990Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-26053 (GCVE-0-2023-26053)
Vulnerability from cvelistv5 – Published: 2023-03-02 03:11 – Updated: 2025-03-05 21:15
VLAI?
Title
Gradle usage of long IDs for PGP keys opens potential for collision attacks
Summary
Gradle is a build tool with a focus on build automation and support for multi-language development. This is a collision attack on long IDs (64bits) for PGP keys. Users of dependency verification in Gradle are vulnerable if they use long IDs for PGP keys in a `trusted-key` or `pgp` element in their dependency verification metadata file. The fix is to fail dependency verification if anything but a fingerprint is used in a trust element in dependency verification metadata. The problem is fixed in Gradle 8.0 and above. The problem is also patched in Gradle 6.9.4 and 7.6.1. As a workaround, use only full fingerprint IDs for `trusted-key` or `pgp` element in the metadata is a protection against this issue.
Severity ?
6.6 (Medium)
CWE
- CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:39:06.583Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/gradle/gradle/security/advisories/GHSA-c724-3xg7-g3hf",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gradle/gradle/security/advisories/GHSA-c724-3xg7-g3hf"
},
{
"name": "https://github.com/gradle/gradle/commit/bf3cc0f2b463033037e67aaacda31291643ea1a9",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gradle/gradle/commit/bf3cc0f2b463033037e67aaacda31291643ea1a9"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230413-0002/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-26053",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-05T21:15:32.231102Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-05T21:15:36.343Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gradle",
"vendor": "gradle",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.2, \u003c 6.9.4"
},
{
"status": "affected",
"version": "\u003e= 7.0.0, \u003c 7.6.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gradle is a build tool with a focus on build automation and support for multi-language development. This is a collision attack on long IDs (64bits) for PGP keys. Users of dependency verification in Gradle are vulnerable if they use long IDs for PGP keys in a `trusted-key` or `pgp` element in their dependency verification metadata file. The fix is to fail dependency verification if anything but a fingerprint is used in a trust element in dependency verification metadata. The problem is fixed in Gradle 8.0 and above. The problem is also patched in Gradle 6.9.4 and 7.6.1. As a workaround, use only full fingerprint IDs for `trusted-key` or `pgp` element in the metadata is a protection against this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-829",
"description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-13T16:06:21.602Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gradle/gradle/security/advisories/GHSA-c724-3xg7-g3hf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gradle/gradle/security/advisories/GHSA-c724-3xg7-g3hf"
},
{
"name": "https://github.com/gradle/gradle/commit/bf3cc0f2b463033037e67aaacda31291643ea1a9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gradle/gradle/commit/bf3cc0f2b463033037e67aaacda31291643ea1a9"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230413-0002/"
}
],
"source": {
"advisory": "GHSA-c724-3xg7-g3hf",
"discovery": "UNKNOWN"
},
"title": "Gradle usage of long IDs for PGP keys opens potential for collision attacks"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-26053",
"datePublished": "2023-03-02T03:11:31.488Z",
"dateReserved": "2023-02-17T22:44:03.150Z",
"dateUpdated": "2025-03-05T21:15:36.343Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31156 (GCVE-0-2022-31156)
Vulnerability from cvelistv5 – Published: 2022-07-14 20:05 – Updated: 2025-04-23 18:02
VLAI?
Title
Gradle's dependency verification can ignore checksum verification when signature verification cannot be performed
Summary
Gradle is a build tool. Dependency verification is a security feature in Gradle Build Tool that was introduced to allow validation of external dependencies either through their checksum or cryptographic signatures. In versions 6.2 through 7.4.2, there are some cases in which Gradle may skip that verification and accept a dependency that would otherwise fail the build as an untrusted external artifact. This can occur in two ways. When signature verification is disabled but the verification metadata contains entries for dependencies that only have a `gpg` element but no `checksum` element. When signature verification is enabled, the verification metadata contains entries for dependencies with a `gpg` element but there is no signature file on the remote repository. In both cases, the verification will accept the dependency, skipping signature verification and not complaining that the dependency has no checksum entry. For builds that are vulnerable, there are two risks. Gradle could download a malicious binary from a repository outside your organization due to name squatting. For those still using HTTP only and not HTTPS for downloading dependencies, the build could download a malicious library instead of the expected one. Gradle 7.5 patches this issue by making sure to run checksum verification if signature verification cannot be completed, whatever the reason. Two workarounds are available: Remove all `gpg` elements from dependency verification metadata if you disable signature validation and/or avoid adding `gpg` entries for dependencies that do not have signature files.
Severity ?
6.6 (Medium)
CWE
- CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:11:39.622Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gradle/gradle/security/advisories/GHSA-j6wc-xfg8-jx2j"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.gradle.org/7.5/release-notes.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31156",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:51:29.706463Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:02:03.963Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gradle",
"vendor": "gradle",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.2, \u003c= 7.4.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gradle is a build tool. Dependency verification is a security feature in Gradle Build Tool that was introduced to allow validation of external dependencies either through their checksum or cryptographic signatures. In versions 6.2 through 7.4.2, there are some cases in which Gradle may skip that verification and accept a dependency that would otherwise fail the build as an untrusted external artifact. This can occur in two ways. When signature verification is disabled but the verification metadata contains entries for dependencies that only have a `gpg` element but no `checksum` element. When signature verification is enabled, the verification metadata contains entries for dependencies with a `gpg` element but there is no signature file on the remote repository. In both cases, the verification will accept the dependency, skipping signature verification and not complaining that the dependency has no checksum entry. For builds that are vulnerable, there are two risks. Gradle could download a malicious binary from a repository outside your organization due to name squatting. For those still using HTTP only and not HTTPS for downloading dependencies, the build could download a malicious library instead of the expected one. Gradle 7.5 patches this issue by making sure to run checksum verification if signature verification cannot be completed, whatever the reason. Two workarounds are available: Remove all `gpg` elements from dependency verification metadata if you disable signature validation and/or avoid adding `gpg` entries for dependencies that do not have signature files."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-829",
"description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-14T20:05:11.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gradle/gradle/security/advisories/GHSA-j6wc-xfg8-jx2j"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.gradle.org/7.5/release-notes.html"
}
],
"source": {
"advisory": "GHSA-j6wc-xfg8-jx2j",
"discovery": "UNKNOWN"
},
"title": "Gradle\u0027s dependency verification can ignore checksum verification when signature verification cannot be performed",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31156",
"STATE": "PUBLIC",
"TITLE": "Gradle\u0027s dependency verification can ignore checksum verification when signature verification cannot be performed"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "gradle",
"version": {
"version_data": [
{
"version_value": "\u003e= 6.2, \u003c= 7.4.2"
}
]
}
}
]
},
"vendor_name": "gradle"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Gradle is a build tool. Dependency verification is a security feature in Gradle Build Tool that was introduced to allow validation of external dependencies either through their checksum or cryptographic signatures. In versions 6.2 through 7.4.2, there are some cases in which Gradle may skip that verification and accept a dependency that would otherwise fail the build as an untrusted external artifact. This can occur in two ways. When signature verification is disabled but the verification metadata contains entries for dependencies that only have a `gpg` element but no `checksum` element. When signature verification is enabled, the verification metadata contains entries for dependencies with a `gpg` element but there is no signature file on the remote repository. In both cases, the verification will accept the dependency, skipping signature verification and not complaining that the dependency has no checksum entry. For builds that are vulnerable, there are two risks. Gradle could download a malicious binary from a repository outside your organization due to name squatting. For those still using HTTP only and not HTTPS for downloading dependencies, the build could download a malicious library instead of the expected one. Gradle 7.5 patches this issue by making sure to run checksum verification if signature verification cannot be completed, whatever the reason. Two workarounds are available: Remove all `gpg` elements from dependency verification metadata if you disable signature validation and/or avoid adding `gpg` entries for dependencies that do not have signature files."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gradle/gradle/security/advisories/GHSA-j6wc-xfg8-jx2j",
"refsource": "CONFIRM",
"url": "https://github.com/gradle/gradle/security/advisories/GHSA-j6wc-xfg8-jx2j"
},
{
"name": "https://docs.gradle.org/7.5/release-notes.html",
"refsource": "MISC",
"url": "https://docs.gradle.org/7.5/release-notes.html"
}
]
},
"source": {
"advisory": "GHSA-j6wc-xfg8-jx2j",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31156",
"datePublished": "2022-07-14T20:05:11.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:02:03.963Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23630 (GCVE-0-2022-23630)
Vulnerability from cvelistv5 – Published: 2022-02-10 20:10 – Updated: 2025-04-23 19:05
VLAI?
Title
Dependency verification bypass in Gradle
Summary
Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, Gradle may skip that verification and accept a dependency that would otherwise fail the build as an untrusted external artifact. This occurs when dependency verification is disabled on one or more configurations and those configurations have common dependencies with other configurations that have dependency verification enabled. If the configuration that has dependency verification disabled is resolved first, Gradle does not verify the common dependencies for the configuration that has dependency verification enabled. Gradle 7.4 fixes that issue by validating artifacts at least once if they are present in a resolved configuration that has dependency verification active. For users who cannot update either do not use `ResolutionStrategy.disableDependencyVerification()` and do not use plugins that use that method to disable dependency verification for a single configuration or make sure resolution of configuration that disable that feature do not happen in builds that resolve configuration where the feature is enabled.
Severity ?
7.5 (High)
CWE
- CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:45.670Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gradle/gradle/security/advisories/GHSA-9pf5-88jw-3qgr"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gradle/gradle/commit/88ab9b652933bc3b2e3161b31ad8b8f4f0516351"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.gradle.org/7.4/release-notes.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-23630",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:56:14.266126Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T19:05:40.404Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gradle",
"vendor": "gradle",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.2, \u003c 7.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, Gradle may skip that verification and accept a dependency that would otherwise fail the build as an untrusted external artifact. This occurs when dependency verification is disabled on one or more configurations and those configurations have common dependencies with other configurations that have dependency verification enabled. If the configuration that has dependency verification disabled is resolved first, Gradle does not verify the common dependencies for the configuration that has dependency verification enabled. Gradle 7.4 fixes that issue by validating artifacts at least once if they are present in a resolved configuration that has dependency verification active. For users who cannot update either do not use `ResolutionStrategy.disableDependencyVerification()` and do not use plugins that use that method to disable dependency verification for a single configuration or make sure resolution of configuration that disable that feature do not happen in builds that resolve configuration where the feature is enabled."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-829",
"description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-10T20:10:09.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gradle/gradle/security/advisories/GHSA-9pf5-88jw-3qgr"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gradle/gradle/commit/88ab9b652933bc3b2e3161b31ad8b8f4f0516351"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.gradle.org/7.4/release-notes.html"
}
],
"source": {
"advisory": "GHSA-9pf5-88jw-3qgr",
"discovery": "UNKNOWN"
},
"title": "Dependency verification bypass in Gradle",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-23630",
"STATE": "PUBLIC",
"TITLE": "Dependency verification bypass in Gradle"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "gradle",
"version": {
"version_data": [
{
"version_value": "\u003e= 6.2, \u003c 7.4"
}
]
}
}
]
},
"vendor_name": "gradle"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, Gradle may skip that verification and accept a dependency that would otherwise fail the build as an untrusted external artifact. This occurs when dependency verification is disabled on one or more configurations and those configurations have common dependencies with other configurations that have dependency verification enabled. If the configuration that has dependency verification disabled is resolved first, Gradle does not verify the common dependencies for the configuration that has dependency verification enabled. Gradle 7.4 fixes that issue by validating artifacts at least once if they are present in a resolved configuration that has dependency verification active. For users who cannot update either do not use `ResolutionStrategy.disableDependencyVerification()` and do not use plugins that use that method to disable dependency verification for a single configuration or make sure resolution of configuration that disable that feature do not happen in builds that resolve configuration where the feature is enabled."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gradle/gradle/security/advisories/GHSA-9pf5-88jw-3qgr",
"refsource": "CONFIRM",
"url": "https://github.com/gradle/gradle/security/advisories/GHSA-9pf5-88jw-3qgr"
},
{
"name": "https://github.com/gradle/gradle/commit/88ab9b652933bc3b2e3161b31ad8b8f4f0516351",
"refsource": "MISC",
"url": "https://github.com/gradle/gradle/commit/88ab9b652933bc3b2e3161b31ad8b8f4f0516351"
},
{
"name": "https://docs.gradle.org/7.4/release-notes.html",
"refsource": "MISC",
"url": "https://docs.gradle.org/7.4/release-notes.html"
}
]
},
"source": {
"advisory": "GHSA-9pf5-88jw-3qgr",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-23630",
"datePublished": "2022-02-10T20:10:09.000Z",
"dateReserved": "2022-01-19T00:00:00.000Z",
"dateUpdated": "2025-04-23T19:05:40.404Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32751 (GCVE-0-2021-32751)
Vulnerability from cvelistv5 – Published: 2021-07-20 22:55 – Updated: 2024-08-03 23:33
VLAI?
Title
Arbitrary code execution via specially crafted environment variables
Summary
Gradle is a build tool with a focus on build automation. In versions prior to 7.2, start scripts generated by the `application` plugin and the `gradlew` script are both vulnerable to arbitrary code execution when an attacker is able to change environment variables for the user running the script. This may impact those who use `gradlew` on Unix-like systems or use the scripts generated by Gradle in thieir application on Unix-like systems. For this vulnerability to be exploitable, an attacker needs to be able to set the value of particular environment variables and have those environment variables be seen by the vulnerable scripts. This issue has been patched in Gradle 7.2 by removing the use of `eval` and requiring the use of the `bash` shell. There are a few workarounds available. For CI/CD systems using the Gradle build tool, one may ensure that untrusted users are unable to change environment variables for the user that executes `gradlew`. If one is unable to upgrade to Gradle 7.2, one may generate a new `gradlew` script with Gradle 7.2 and use it for older versions of Gradle. Fpplications using start scripts generated by Gradle, one may ensure that untrusted users are unable to change environment variables for the user that executes the start script. A vulnerable start script could be manually patched to remove the use of `eval` or the use of environment variables that affect the application's command-line. If the application is simple enough, one may be able to avoid the use of the start scripts by running the application directly with Java command.
Severity ?
7.5 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:33:55.749Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gradle/gradle/security/advisories/GHSA-6j2p-252f-7mw8"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://medium.com/dot-debug/the-perils-of-bash-eval-cc5f9e309cae"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mywiki.wooledge.org/BashFAQ/048"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "gradle",
"vendor": "gradle",
"versions": [
{
"status": "affected",
"version": "\u003c 7.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Gradle is a build tool with a focus on build automation. In versions prior to 7.2, start scripts generated by the `application` plugin and the `gradlew` script are both vulnerable to arbitrary code execution when an attacker is able to change environment variables for the user running the script. This may impact those who use `gradlew` on Unix-like systems or use the scripts generated by Gradle in thieir application on Unix-like systems. For this vulnerability to be exploitable, an attacker needs to be able to set the value of particular environment variables and have those environment variables be seen by the vulnerable scripts. This issue has been patched in Gradle 7.2 by removing the use of `eval` and requiring the use of the `bash` shell. There are a few workarounds available. For CI/CD systems using the Gradle build tool, one may ensure that untrusted users are unable to change environment variables for the user that executes `gradlew`. If one is unable to upgrade to Gradle 7.2, one may generate a new `gradlew` script with Gradle 7.2 and use it for older versions of Gradle. Fpplications using start scripts generated by Gradle, one may ensure that untrusted users are unable to change environment variables for the user that executes the start script. A vulnerable start script could be manually patched to remove the use of `eval` or the use of environment variables that affect the application\u0027s command-line. If the application is simple enough, one may be able to avoid the use of the start scripts by running the application directly with Java command."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-20T22:55:12.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gradle/gradle/security/advisories/GHSA-6j2p-252f-7mw8"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://medium.com/dot-debug/the-perils-of-bash-eval-cc5f9e309cae"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mywiki.wooledge.org/BashFAQ/048"
}
],
"source": {
"advisory": "GHSA-6j2p-252f-7mw8",
"discovery": "UNKNOWN"
},
"title": "Arbitrary code execution via specially crafted environment variables",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32751",
"STATE": "PUBLIC",
"TITLE": "Arbitrary code execution via specially crafted environment variables"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "gradle",
"version": {
"version_data": [
{
"version_value": "\u003c 7.2"
}
]
}
}
]
},
"vendor_name": "gradle"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Gradle is a build tool with a focus on build automation. In versions prior to 7.2, start scripts generated by the `application` plugin and the `gradlew` script are both vulnerable to arbitrary code execution when an attacker is able to change environment variables for the user running the script. This may impact those who use `gradlew` on Unix-like systems or use the scripts generated by Gradle in thieir application on Unix-like systems. For this vulnerability to be exploitable, an attacker needs to be able to set the value of particular environment variables and have those environment variables be seen by the vulnerable scripts. This issue has been patched in Gradle 7.2 by removing the use of `eval` and requiring the use of the `bash` shell. There are a few workarounds available. For CI/CD systems using the Gradle build tool, one may ensure that untrusted users are unable to change environment variables for the user that executes `gradlew`. If one is unable to upgrade to Gradle 7.2, one may generate a new `gradlew` script with Gradle 7.2 and use it for older versions of Gradle. Fpplications using start scripts generated by Gradle, one may ensure that untrusted users are unable to change environment variables for the user that executes the start script. A vulnerable start script could be manually patched to remove the use of `eval` or the use of environment variables that affect the application\u0027s command-line. If the application is simple enough, one may be able to avoid the use of the start scripts by running the application directly with Java command."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gradle/gradle/security/advisories/GHSA-6j2p-252f-7mw8",
"refsource": "CONFIRM",
"url": "https://github.com/gradle/gradle/security/advisories/GHSA-6j2p-252f-7mw8"
},
{
"name": "https://medium.com/dot-debug/the-perils-of-bash-eval-cc5f9e309cae",
"refsource": "MISC",
"url": "https://medium.com/dot-debug/the-perils-of-bash-eval-cc5f9e309cae"
},
{
"name": "https://mywiki.wooledge.org/BashFAQ/048",
"refsource": "MISC",
"url": "https://mywiki.wooledge.org/BashFAQ/048"
}
]
},
"source": {
"advisory": "GHSA-6j2p-252f-7mw8",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32751",
"datePublished": "2021-07-20T22:55:12.000Z",
"dateReserved": "2021-05-12T00:00:00.000Z",
"dateUpdated": "2024-08-03T23:33:55.749Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-29427 (GCVE-0-2021-29427)
Vulnerability from cvelistv5 – Published: 2021-04-13 17:55 – Updated: 2024-08-03 22:02
VLAI?
Title
Repository content filters do not work in Settings pluginManagement
Summary
In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning. Repository content filtering is a security control Gradle introduced to help users specify what repositories are used to resolve specific dependencies. This feature was introduced in the wake of the "A Confusing Dependency" blog post. In some cases, Gradle may ignore content filters and search all repositories for dependencies. This only occurs when repository content filtering is used from within a `pluginManagement` block in a settings file. This may change how dependencies are resolved for Gradle plugins and build scripts. For builds that are vulnerable, there are two risks: 1) Information disclosure: Gradle could make dependency requests to repositories outside your organization and leak internal package identifiers. 2) Dependency poisoning/Dependency confusion: Gradle could download a malicious binary from a repository outside your organization due to name squatting. For a full example and more details refer to the referenced GitHub Security Advisory. The problem has been patched and released with Gradle 7.0. Users relying on this feature should upgrade their build as soon as possible. As a workaround, users may use a company repository which has the right rules for fetching packages from public repositories, or use project level repository content filtering, inside `buildscript.repositories`. This option is available since Gradle 5.1 when the feature was introduced.
Severity ?
CWE
- CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:51.882Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.gradle.org/7.0/release-notes.html#security-advisories"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gradle/gradle/security/advisories/GHSA-jvmj-rh6q-x395"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "gradle",
"vendor": "gradle",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.1, \u003c= 6.8.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning. Repository content filtering is a security control Gradle introduced to help users specify what repositories are used to resolve specific dependencies. This feature was introduced in the wake of the \"A Confusing Dependency\" blog post. In some cases, Gradle may ignore content filters and search all repositories for dependencies. This only occurs when repository content filtering is used from within a `pluginManagement` block in a settings file. This may change how dependencies are resolved for Gradle plugins and build scripts. For builds that are vulnerable, there are two risks: 1) Information disclosure: Gradle could make dependency requests to repositories outside your organization and leak internal package identifiers. 2) Dependency poisoning/Dependency confusion: Gradle could download a malicious binary from a repository outside your organization due to name squatting. For a full example and more details refer to the referenced GitHub Security Advisory. The problem has been patched and released with Gradle 7.0. Users relying on this feature should upgrade their build as soon as possible. As a workaround, users may use a company repository which has the right rules for fetching packages from public repositories, or use project level repository content filtering, inside `buildscript.repositories`. This option is available since Gradle 5.1 when the feature was introduced."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-829",
"description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-13T17:55:24.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.gradle.org/7.0/release-notes.html#security-advisories"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gradle/gradle/security/advisories/GHSA-jvmj-rh6q-x395"
}
],
"source": {
"advisory": "GHSA-jvmj-rh6q-x395",
"discovery": "UNKNOWN"
},
"title": "Repository content filters do not work in Settings pluginManagement",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-29427",
"STATE": "PUBLIC",
"TITLE": "Repository content filters do not work in Settings pluginManagement"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "gradle",
"version": {
"version_data": [
{
"version_value": "\u003e= 5.1, \u003c= 6.8.3"
}
]
}
}
]
},
"vendor_name": "gradle"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning. Repository content filtering is a security control Gradle introduced to help users specify what repositories are used to resolve specific dependencies. This feature was introduced in the wake of the \"A Confusing Dependency\" blog post. In some cases, Gradle may ignore content filters and search all repositories for dependencies. This only occurs when repository content filtering is used from within a `pluginManagement` block in a settings file. This may change how dependencies are resolved for Gradle plugins and build scripts. For builds that are vulnerable, there are two risks: 1) Information disclosure: Gradle could make dependency requests to repositories outside your organization and leak internal package identifiers. 2) Dependency poisoning/Dependency confusion: Gradle could download a malicious binary from a repository outside your organization due to name squatting. For a full example and more details refer to the referenced GitHub Security Advisory. The problem has been patched and released with Gradle 7.0. Users relying on this feature should upgrade their build as soon as possible. As a workaround, users may use a company repository which has the right rules for fetching packages from public repositories, or use project level repository content filtering, inside `buildscript.repositories`. This option is available since Gradle 5.1 when the feature was introduced."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.gradle.org/7.0/release-notes.html#security-advisories",
"refsource": "MISC",
"url": "https://docs.gradle.org/7.0/release-notes.html#security-advisories"
},
{
"name": "https://github.com/gradle/gradle/security/advisories/GHSA-jvmj-rh6q-x395",
"refsource": "CONFIRM",
"url": "https://github.com/gradle/gradle/security/advisories/GHSA-jvmj-rh6q-x395"
}
]
},
"source": {
"advisory": "GHSA-jvmj-rh6q-x395",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-29427",
"datePublished": "2021-04-13T17:55:24.000Z",
"dateReserved": "2021-03-30T00:00:00.000Z",
"dateUpdated": "2024-08-03T22:02:51.882Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-29428 (GCVE-0-2021-29428)
Vulnerability from cvelistv5 – Published: 2021-04-13 17:55 – Updated: 2024-08-03 22:02
VLAI?
Title
Local privilege escalation through system temporary directory
Summary
In Gradle before version 7.0, on Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. Gradle builds could be vulnerable to a local privilege escalation from an attacker quickly deleting and recreating files in the system temporary directory. This vulnerability impacted builds using precompiled script plugins written in Kotlin DSL and tests for Gradle plugins written using ProjectBuilder or TestKit. If you are on Windows or modern versions of macOS, you are not vulnerable. If you are on a Unix-like operating system with the "sticky" bit set on your system temporary directory, you are not vulnerable. The problem has been patched and released with Gradle 7.0. As a workaround, on Unix-like operating systems, ensure that the "sticky" bit is set. This only allows the original user (or root) to delete a file. If you are unable to change the permissions of the system temporary directory, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only. For additional details refer to the referenced GitHub Security Advisory.
Severity ?
8.8 (High)
CWE
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:51.887Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.gradle.org/7.0/release-notes.html#security-advisories"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gradle/gradle/security/advisories/GHSA-89qm-pxvm-p336"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gradle/gradle/pull/15654"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gradle/gradle/pull/15240"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "gradle",
"vendor": "gradle",
"versions": [
{
"status": "affected",
"version": "\u003c 7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Gradle before version 7.0, on Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. Gradle builds could be vulnerable to a local privilege escalation from an attacker quickly deleting and recreating files in the system temporary directory. This vulnerability impacted builds using precompiled script plugins written in Kotlin DSL and tests for Gradle plugins written using ProjectBuilder or TestKit. If you are on Windows or modern versions of macOS, you are not vulnerable. If you are on a Unix-like operating system with the \"sticky\" bit set on your system temporary directory, you are not vulnerable. The problem has been patched and released with Gradle 7.0. As a workaround, on Unix-like operating systems, ensure that the \"sticky\" bit is set. This only allows the original user (or root) to delete a file. If you are unable to change the permissions of the system temporary directory, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only. For additional details refer to the referenced GitHub Security Advisory."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-379",
"description": "CWE-379 Creation of Temporary File in Directory with Incorrect Permissions",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-378",
"description": "CWE-378: Creation of Temporary File With Insecure Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-13T17:55:18.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.gradle.org/7.0/release-notes.html#security-advisories"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gradle/gradle/security/advisories/GHSA-89qm-pxvm-p336"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gradle/gradle/pull/15654"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gradle/gradle/pull/15240"
}
],
"source": {
"advisory": "GHSA-89qm-pxvm-p336",
"discovery": "UNKNOWN"
},
"title": "Local privilege escalation through system temporary directory",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-29428",
"STATE": "PUBLIC",
"TITLE": "Local privilege escalation through system temporary directory"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "gradle",
"version": {
"version_data": [
{
"version_value": "\u003c 7.0"
}
]
}
}
]
},
"vendor_name": "gradle"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Gradle before version 7.0, on Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. Gradle builds could be vulnerable to a local privilege escalation from an attacker quickly deleting and recreating files in the system temporary directory. This vulnerability impacted builds using precompiled script plugins written in Kotlin DSL and tests for Gradle plugins written using ProjectBuilder or TestKit. If you are on Windows or modern versions of macOS, you are not vulnerable. If you are on a Unix-like operating system with the \"sticky\" bit set on your system temporary directory, you are not vulnerable. The problem has been patched and released with Gradle 7.0. As a workaround, on Unix-like operating systems, ensure that the \"sticky\" bit is set. This only allows the original user (or root) to delete a file. If you are unable to change the permissions of the system temporary directory, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only. For additional details refer to the referenced GitHub Security Advisory."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-379 Creation of Temporary File in Directory with Incorrect Permissions"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-378: Creation of Temporary File With Insecure Permissions"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.gradle.org/7.0/release-notes.html#security-advisories",
"refsource": "MISC",
"url": "https://docs.gradle.org/7.0/release-notes.html#security-advisories"
},
{
"name": "https://github.com/gradle/gradle/security/advisories/GHSA-89qm-pxvm-p336",
"refsource": "CONFIRM",
"url": "https://github.com/gradle/gradle/security/advisories/GHSA-89qm-pxvm-p336"
},
{
"name": "https://github.com/gradle/gradle/pull/15654",
"refsource": "MISC",
"url": "https://github.com/gradle/gradle/pull/15654"
},
{
"name": "https://github.com/gradle/gradle/pull/15240",
"refsource": "MISC",
"url": "https://github.com/gradle/gradle/pull/15240"
}
]
},
"source": {
"advisory": "GHSA-89qm-pxvm-p336",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-29428",
"datePublished": "2021-04-13T17:55:18.000Z",
"dateReserved": "2021-03-30T00:00:00.000Z",
"dateUpdated": "2024-08-03T22:02:51.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-29429 (GCVE-0-2021-29429)
Vulnerability from cvelistv5 – Published: 2021-04-12 21:30 – Updated: 2024-08-03 22:02
VLAI?
Title
Information disclosure through temporary directory permissions
Summary
In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded into the system temporary directory first. Sensitive information contained in these files can be exposed to other local users on the same system. If you do not use the `TextResourceFactory` API, you are not vulnerable. As of Gradle 7.0, uses of the system temporary directory have been moved to the Gradle User Home directory. By default, this directory is restricted to the user running the build. As a workaround, set a more restrictive umask that removes read access to other users. When files are created in the system temporary directory, they will not be accessible to other users. If you are unable to change your system's umask, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only.
Severity ?
4 (Medium)
CWE
- CWE-377 - Insecure Temporary File
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:02:51.929Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gradle/gradle/security/advisories/GHSA-fp8h-qmr5-j4c8"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.gradle.org/7.0/release-notes.html#security-advisories"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "gradle",
"vendor": "gradle",
"versions": [
{
"status": "affected",
"version": "\u003c 7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded into the system temporary directory first. Sensitive information contained in these files can be exposed to other local users on the same system. If you do not use the `TextResourceFactory` API, you are not vulnerable. As of Gradle 7.0, uses of the system temporary directory have been moved to the Gradle User Home directory. By default, this directory is restricted to the user running the build. As a workaround, set a more restrictive umask that removes read access to other users. When files are created in the system temporary directory, they will not be accessible to other users. If you are unable to change your system\u0027s umask, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-377",
"description": "CWE-377 Insecure Temporary File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-12T21:30:12.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gradle/gradle/security/advisories/GHSA-fp8h-qmr5-j4c8"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.gradle.org/7.0/release-notes.html#security-advisories"
}
],
"source": {
"advisory": "GHSA-fp8h-qmr5-j4c8",
"discovery": "UNKNOWN"
},
"title": "Information disclosure through temporary directory permissions",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-29429",
"STATE": "PUBLIC",
"TITLE": "Information disclosure through temporary directory permissions"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "gradle",
"version": {
"version_data": [
{
"version_value": "\u003c 7.0"
}
]
}
}
]
},
"vendor_name": "gradle"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded into the system temporary directory first. Sensitive information contained in these files can be exposed to other local users on the same system. If you do not use the `TextResourceFactory` API, you are not vulnerable. As of Gradle 7.0, uses of the system temporary directory have been moved to the Gradle User Home directory. By default, this directory is restricted to the user running the build. As a workaround, set a more restrictive umask that removes read access to other users. When files are created in the system temporary directory, they will not be accessible to other users. If you are unable to change your system\u0027s umask, you can move the Java temporary directory by setting the System Property `java.io.tmpdir`. The new path needs to limit permissions to the build user only."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-377 Insecure Temporary File"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gradle/gradle/security/advisories/GHSA-fp8h-qmr5-j4c8",
"refsource": "CONFIRM",
"url": "https://github.com/gradle/gradle/security/advisories/GHSA-fp8h-qmr5-j4c8"
},
{
"name": "https://docs.gradle.org/7.0/release-notes.html#security-advisories",
"refsource": "MISC",
"url": "https://docs.gradle.org/7.0/release-notes.html#security-advisories"
}
]
},
"source": {
"advisory": "GHSA-fp8h-qmr5-j4c8",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-29429",
"datePublished": "2021-04-12T21:30:12.000Z",
"dateReserved": "2021-03-30T00:00:00.000Z",
"dateUpdated": "2024-08-03T22:02:51.929Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}