CVE-2022-23630 : Gradle is a build tool with a focus on build automation and support for multi-la

Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, Gradle may skip that verification and accept a dependency that would otherwise fail the build as an untrusted external artifact. This occurs when dependency verification is disabled on one or more configurations and those configurations have common dependencies with other configurations that have dependency verification enabled. If the configuration that has dependency verification disabled is resolved first, Gradle does not verify the common dependencies for the configuration that has dependency verification enabled. Gradle 7.4 fixes that issue by validating artifacts at least once if they are present in a resolved configuration that has dependency verification active. For users who cannot update either do not use `ResolutionStrategy.disableDependencyVerification()` and do not use plugins that use that method to disable dependency verification for a single configuration or make sure resolution of configuration that disable that feature do not happen in builds that resolve configuration where the feature is enabled.

Published 2022-02-10 20:15:07

Updated 2022-02-17 17:41:50

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: File inclusion

Products affected by CVE-2022-23630

Gradle » Gradle
Versions from including (>=) 6.2.0 and up to, including, (<=) 7.3.3
cpe:2.3:a:gradle:gradle:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-23630

EPSS FAQ

0.61%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 67 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-23630

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.0	MEDIUM	AV:N/AC:M/Au:S/C:P/I:P/A:P	6.8	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
7.5	HIGH	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H	1.6	5.9	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.5	HIGH	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H	1.6	5.9	GitHub, Inc.
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-23630

CWE-829 Inclusion of Functionality from Untrusted Control Sphere

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2022-23630

https://github.com/gradle/gradle/security/advisories/GHSA-9pf5-88jw-3qgr

Dependency verification can be bypassed when using `ResolutionStrategy.disableDependencyVerification()` · Advisory · gradle/gradle · GitHub
Mitigation;Third Party Advisory
https://docs.gradle.org/7.4/release-notes.html

Gradle 7.4 Release Notes
Release Notes;Vendor Advisory
https://github.com/gradle/gradle/commit/88ab9b652933bc3b2e3161b31ad8b8f4f0516351

Merge pull request #19798 Do not share resolvable artifacts between v… · gradle/gradle@88ab9b6 · GitHub
Patch;Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-23630

Products affected by CVE-2022-23630

Exploit prediction scoring system (EPSS) score for CVE-2022-23630

CVSS scores for CVE-2022-23630

CWE ids for CVE-2022-23630

References for CVE-2022-23630