Gradle up to 7.6.1/8.1 path traversal

Summaryinfo

A vulnerability labeled as critical has been found in Gradle up to 7.6.1/8.1. The affected element is an unknown function. The manipulation results in path traversal. This vulnerability was named CVE-2023-35946. The attack needs to be approached locally. There is no available exploit. The affected component should be upgraded.

Detailsinfo

A vulnerability, which was classified as critical, was found in Gradle up to 7.6.1/8.1. Affected is an unknown part. The manipulation with an unknown input leads to a path traversal vulnerability. CWE is classifying the issue as CWE-22. The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:

Gradle is a build tool with a focus on build automation and support for multi-language development. When Gradle writes a dependency into its dependency cache, it uses the dependency's coordinates to compute a file location. With specially crafted dependency coordinates, Gradle can be made to write files into an unintended location. The file may be written outside the dependency cache or over another file in the dependency cache. This vulnerability could be used to poison the dependency cache or overwrite important files elsewhere on the filesystem where the Gradle process has write permissions. Exploiting this vulnerability requires an attacker to have control over a dependency repository used by the Gradle build or have the ability to modify the build's configuration. It is unlikely that this would go unnoticed. A fix has been released in Gradle 7.6.2 and 8.2 to protect against this vulnerability. Gradle will refuse to cache dependencies that have path traversal elements in their dependency coordinates. It is recommended that users upgrade to a patched version. If you are unable to upgrade to Gradle 7.6.2 or 8.2, `dependency verification` will make this vulnerability more difficult to exploit.

The weakness was presented 07/01/2023 as GHSA-2h6c-rv6q-494v. The advisory is shared for download at github.com. This vulnerability is traded as CVE-2023-35946 since 06/20/2023. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1006.

The vulnerability scanner Nessus provides a plugin with the ID 257907 (Linux Distros Unpatched Vulnerability : CVE-2023-35946), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 7.6.2 or 8.2 eliminates this vulnerability. Applying the patch 859eae2b2acf751ae7db3c9ffefe275aa5da0d5d is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the vulnerability database at Tenable (257907). Once again VulDB remains the best source for vulnerability data.

Productinfo

Name

• Gradle

Version

• 7.6.0
• 7.6.1
• 8.0
• 8.1

License

• open-source

Website

• Product: https://github.com/gradle/gradle/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion