CVE-2023-35946

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-35946

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-35946.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-35946

Aliases

BIT-gradle-2023-35946
GHSA-2h6c-rv6q-494v

Related

Published

2023-06-30T21:15:09Z

Modified

2024-10-12T11:03:56.389630Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

Gradle is a build tool with a focus on build automation and support for multi-language development. When Gradle writes a dependency into its dependency cache, it uses the dependency's coordinates to compute a file location. With specially crafted dependency coordinates, Gradle can be made to write files into an unintended location. The file may be written outside the dependency cache or over another file in the dependency cache. This vulnerability could be used to poison the dependency cache or overwrite important files elsewhere on the filesystem where the Gradle process has write permissions. Exploiting this vulnerability requires an attacker to have control over a dependency repository used by the Gradle build or have the ability to modify the build's configuration. It is unlikely that this would go unnoticed. A fix has been released in Gradle 7.6.2 and 8.2 to protect against this vulnerability. Gradle will refuse to cache dependencies that have path traversal elements in their dependency coordinates. It is recommended that users upgrade to a patched version. If you are unable to upgrade to Gradle 7.6.2 or 8.2, dependency verification will make this vulnerability more difficult to exploit.

References

Affected packages

Debian:11 / gradle

Package

Name: gradle
Purl: pkg:deb/debian/gradle?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.4.1-13

4.4.1-14

4.4.1-15

4.4.1-16

4.4.1-17

4.4.1-18

4.4.1-19

4.4.1-20

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / gradle

Package

Name: gradle
Purl: pkg:deb/debian/gradle?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.4.1-18

4.4.1-19

4.4.1-20

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / gradle

Package

Name: gradle
Purl: pkg:deb/debian/gradle?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.4.1-18

4.4.1-19

4.4.1-20

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/gradle/gradle

Affected ranges

Type: GIT
Repo: https://github.com/gradle/gradle
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

859eae2b2acf751ae7db3c9ffefe275aa5da0d5d

Fixed

b07e528feb3a5ffa66bdcc358549edd73e4c8a12

Affected versions

REL-0.*

REL-0.8

REL-0.9-preview-1

REL-0.9-preview-2

REL-0.9-preview-3

REL-0.9-rc-1

REL_0.*

REL_0.9

REL_0.9-rc-2

REL_0.9-rc-3

REL_0.9.1

REL_0.9.2

REL_1.*

REL_1.0

REL_1.0-milestone-1

REL_1.0-milestone-2

REL_1.0-milestone-3

REL_1.0-milestone-4

REL_1.0-milestone-5

REL_1.0-milestone-6

REL_1.0-milestone-7

REL_1.0-milestone-8

REL_1.0-milestone-8a

REL_1.0-milestone-9

REL_1.0-rc-1

REL_1.0-rc-2

REL_1.0-rc-3

REL_1.1

REL_1.1-rc-1

REL_1.1-rc-2

REL_1.10

REL_1.10-rc-1

REL_1.10-rc-2

REL_1.11

REL_1.11-rc-1

REL_1.12

REL_1.12-rc-1

REL_1.12-rc-2

REL_1.2

REL_1.2-rc-1

REL_1.3

REL_1.3-rc-1

REL_1.3-rc-2

REL_1.4

REL_1.4-rc-1

REL_1.4-rc-2

REL_1.4-rc-3

REL_1.5

REL_1.5-rc-1

REL_1.5-rc-2

REL_1.5-rc-3

REL_1.6

REL_1.6-rc-1

REL_1.7

REL_1.7-rc-1

REL_1.7-rc-2

REL_1.8

REL_1.8-rc-1

REL_1.8-rc-2

REL_1.9

REL_1.9-rc-1

REL_1.9-rc-2

REL_1.9-rc-3

REL_1.9-rc-4

REL_2.*

REL_2.0

REL_2.0-rc-1

REL_2.0-rc-2

REL_2.1

REL_2.1-rc-1

REL_2.1-rc-2

REL_2.1-rc-3

REL_2.1-rc-4

REL_2.10

REL_2.10-rc-1

REL_2.10-rc-2

REL_2.11

REL_2.11-rc-1

REL_2.11-rc-2

REL_2.11-rc-3

REL_2.12

REL_2.12-rc-1

REL_2.13

REL_2.13-rc-1

REL_2.13-rc-2

REL_2.14

REL_2.14-rc-1

REL_2.14-rc-2

REL_2.14-rc-3

REL_2.14-rc-4

REL_2.14-rc-5

REL_2.14-rc-6

REL_2.14.1

REL_2.14.1-rc-1

REL_2.14.1-rc-2

REL_2.2

REL_2.2-rc-1

REL_2.2-rc-2

REL_2.2.1

REL_2.2.1-rc-1

REL_2.3

REL_2.3-rc-1

REL_2.3-rc-2

REL_2.3-rc-3

REL_2.3-rc-4

REL_2.4

REL_2.4-rc-1

REL_2.4-rc-2

REL_2.5

REL_2.5-rc-1

REL_2.5-rc-2

REL_2.6

REL_2.6-rc-1

REL_2.6-rc-2

REL_2.7

REL_2.7-rc-1

REL_2.7-rc-2

REL_2.8

REL_2.8-rc-1

REL_2.8-rc-2

REL_2.9

REL_2.9-rc-1

REL_3.*

REL_3.0

REL_3.0-milestone-1

REL_3.0-milestone-2

REL_3.0-rc-1

REL_3.0-rc-2

REL_3.1

REL_3.1-rc-1

REL_3.2

REL_3.2-rc-1

REL_3.2-rc-2

REL_3.2-rc-3

REL_3.2.1

REL_3.3

REL_3.3-rc-1

REL_3.4

REL_3.4-rc-2

REL_3.4-rc-3

REL_3.4.1

REL_3.5

REL_3.5-rc-1

REL_3.5-rc-2

REL_3.5-rc-3

REL_3.5.1

REL_4.*

REL_4.0

REL_4.0-milestone-1

REL_4.0-milestone-2

REL_4.0-rc-1

REL_4.0-rc-2

REL_4.0-rc-3

REL_4.0.1

REL_4.0.2

REL_4.1

REL_4.1-milestone-1

REL_4.1-rc-1

REL_4.1-rc-2

REL_4.2

REL_4.2-rc-1

REL_4.2-rc-2

REL_4.2.1

REL_4.3

REL_4.3-rc-1

REL_4.3-rc-2

REL_4.3-rc-3

REL_4.3-rc-4

REL_4.3.1

REL_4.4

REL_4.4-rc-1

REL_4.4-rc-2

REL_4.4-rc-3

REL_4.4-rc-4

REL_4.4-rc-5

REL_4.4-rc-6

v0.*

v0.8.0

v0.9.0

v0.9.0-RC1

v0.9.0-RC2

v0.9.0-RC3

v0.9.1

v0.9.2

v1.*

v1.0.0

v1.0.0-M1

v1.0.0-M2

v1.0.0-M3

v1.0.0-M4

v1.0.0-M5

v1.0.0-M6

v1.0.0-M7

v1.0.0-M8

v1.0.0-M8a

v1.0.0-M9

v1.0.0-RC1

v1.0.0-RC2

v1.0.0-RC3

v1.1.0

v1.1.0-RC1

v1.1.0-RC2

v1.10.0

v1.10.0-RC1

v1.10.0-RC2

v1.11.0

v1.11.0-RC1

v1.12.0

v1.12.0-RC1

v1.12.0-RC2

v1.2.0

v1.2.0-RC1

v1.3.0

v1.3.0-RC1

v1.3.0-RC2

v1.4.0

v1.4.0-RC1

v1.4.0-RC2

v1.4.0-RC3

v1.5.0

v1.5.0-RC1

v1.5.0-RC2

v1.5.0-RC3

v1.6.0

v1.6.0-RC1

v1.7.0

v1.7.0-RC1

v1.7.0-RC2

v1.8.0

v1.8.0-RC1

v1.8.0-RC2

v1.9.0

v1.9.0-RC1

v1.9.0-RC2

v1.9.0-RC3

v1.9.0-RC4

v2.*

v2.0.0

v2.0.0-RC1

v2.0.0-RC2

v2.1.0

v2.1.0-RC1

v2.1.0-RC2

v2.1.0-RC3

v2.1.0-RC4

v2.10.0

v2.10.0-RC1

v2.10.0-RC2

v2.11.0

v2.11.0-RC1

v2.11.0-RC2

v2.11.0-RC3

v2.12.0

v2.12.0-RC1

v2.13.0

v2.13.0-RC1

v2.13.0-RC2

v2.14.0

v2.14.0-RC1

v2.14.0-RC2

v2.14.0-RC3

v2.14.0-RC4

v2.14.0-RC5

v2.14.0-RC6

v2.14.1

v2.14.1-RC1

v2.14.1-RC2

v2.2.0

v2.2.0-RC1

v2.2.0-RC2

v2.2.1

v2.2.1-RC1

v2.3.0

v2.3.0-RC1

v2.3.0-RC2

v2.3.0-RC3

v2.3.0-RC4

v2.4.0

v2.4.0-RC1

v2.4.0-RC2

v2.5.0

v2.5.0-RC1

v2.5.0-RC2

v2.6.0

v2.6.0-RC1

v2.6.0-RC2

v2.7.0

v2.7.0-RC1

v2.7.0-RC2

v2.8.0

v2.8.0-RC1

v2.8.0-RC2

v2.9.0

v2.9.0-RC1

v3.*

v3.0.0

v3.0.0-M1

v3.0.0-M2

v3.0.0-RC1

v3.0.0-RC2

v3.1.0

v3.1.0-RC1

v3.2.0

v3.2.0-RC1

v3.2.0-RC2

v3.2.0-RC3

v3.2.1

v3.3.0

v3.3.0-RC1

v3.4.0

v3.4.0-RC1

v3.4.0-RC2

v3.4.0-RC3

v3.4.1

v3.5.0

v3.5.0-RC1

v3.5.0-RC2

v3.5.0-RC3

v3.5.1

v4.*

v4.0.0

v4.0.0-M1

v4.0.0-M2

v4.0.0-RC1

v4.0.0-RC2

v4.0.0-RC3

v4.0.0-milestone-1

v4.0.1

v4.0.2

v4.1.0

v4.1.0-M1

v4.1.0-RC1

v4.1.0-RC2

v4.10.0

v4.10.0-RC1

v4.10.0-RC2

v4.10.0-RC3

v4.10.1

v4.10.2

v4.2.0

v4.2.0-RC1

v4.2.0-RC2

v4.2.1

v4.3.0

v4.3.0-RC1

v4.3.0-RC2

v4.3.0-RC3

v4.3.0-RC4

v4.3.1

v4.4.0

v4.4.0-RC1

v4.4.0-RC2

v4.4.0-RC3

v4.4.0-RC4

v4.4.0-RC5

v4.4.0-RC6

v4.4.1

v4.5.0

v4.5.0-RC1

v4.5.0-RC2

v4.5.1

v4.6.0

v4.6.0-RC1

v4.6.0-RC2

v4.7.0

v4.7.0-RC1

v4.7.0-RC2

v4.8.0

v4.8.0-RC1

v4.8.0-RC2

v4.8.0-RC3

v4.8.1

v4.9.0

v4.9.0-RC1

v4.9.0-RC2

v5.*

v5.0.0

v5.0.0-M1

v5.0.0-RC1

v5.0.0-RC2

v5.0.0-RC3

v5.0.0-RC4

v5.0.0-RC5

v5.1.0

v5.1.0-M1

v5.1.0-RC1

v5.1.0-RC2

v5.1.0-RC3

v5.1.1

v5.2.0

v5.2.0-RC1

v5.2.1

v5.3.0

v5.3.0-RC1

v5.3.0-RC2

v5.3.0-RC3

v5.3.1

v5.4.0

v5.4.0-RC1

v5.4.1

v5.5.0

v5.5.0-RC1

v5.5.0-RC2

v5.5.0-RC3

v5.5.0-RC4

v5.5.1

v5.6.0

v5.6.0-RC1

v5.6.0-RC2

v5.6.1

v5.6.2

v5.6.3

v5.6.4

v6.*

v6.0.0

v6.0.0-RC1

v6.0.0-RC2

v6.0.0-RC3

v6.0.1

v6.1.0

v6.1.0-M1

v6.1.0-M2

v6.1.0-M3

v6.1.0-RC1

v6.1.0-RC2

v6.1.0-RC3

v6.1.1

v6.2.0

v6.2.0-RC1

v6.2.0-RC2

v6.2.0-RC3

v6.2.1

v6.2.2

v6.3.0

v6.3.0-RC1

v6.3.0-RC2

v6.3.0-RC3

v6.3.0-RC4

v6.4.0

v6.4.0-RC1

v6.4.0-RC2

v6.4.0-RC3

v6.4.0-RC4

v6.4.1

v6.5.0

v6.5.0-M1

v6.5.0-M2

v6.5.0-RC1

v6.5.1

v6.6.0

v6.6.0-M1

v6.6.0-M2

v6.6.0-M3

v6.6.0-RC1

v6.6.0-RC2

v6.6.0-RC3

v6.6.0-RC4

v6.6.0-RC5

v6.6.0-RC6

v6.6.1

v6.7.0

v6.7.0-RC1

v6.7.0-RC2

v6.7.0-RC3

v6.7.0-RC4

v6.7.0-RC5

v6.7.1

v6.8.0

v6.8.0-M1

v6.8.0-M2

v6.8.0-M3

v6.8.0-RC1

v6.8.0-RC2

v6.8.0-RC3

v6.8.0-RC4

v6.8.0-RC5

v6.8.1

v6.8.2

v6.8.3

v7.*

v7.0.0

v7.0.0-M1

v7.0.0-M2

v7.0.0-M3

v7.0.0-RC1

v7.0.0-RC2

v7.0.1

v7.0.2

v7.1.0

v7.1.0-RC1

v7.1.0-RC2

v7.1.1

v7.2.0

v7.2.0-RC1

v7.2.0-RC2

v7.2.0-RC3

v7.3.0

v7.3.0-RC1

v7.3.0-RC2

v7.3.0-RC3

v7.3.0-RC4

v7.3.0-RC5

v7.3.1

v7.3.2

v7.3.3

v7.3.3-RC1

v7.4.0

v7.4.0-RC1

v7.4.0-RC2

v7.4.1

v7.4.2

v7.5.0

v7.5.0-M1

v7.5.0-RC1

v7.5.0-RC2

v7.5.0-RC3

v7.5.0-RC4

v7.5.0-RC5

v7.5.1

v7.6.0

v7.6.0-M1

v7.6.0-RC1

v7.6.0-RC2

v7.6.0-RC3

v7.6.0-RC4

v7.6.1

v8.*

v8.0.0

v8.0.0-M1

v8.0.0-M2

v8.0.0-M3

v8.0.0-M4

v8.0.0-M5

v8.0.0-M6

v8.0.0-RC1

v8.0.0-RC2

v8.0.0-RC3

v8.0.0-RC4

v8.0.0-RC5

v8.0.1

v8.0.2

v8.1.0

v8.1.0-RC1

v8.1.0-RC2

v8.1.0-RC3

v8.1.0-RC4

v8.1.1

v8.2.0-M1

v8.2.0-RC1

v8.2.0-RC2