CVE-2023-35947

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-35947

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-35947.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-35947

Aliases

BIT-gradle-2023-35947
GHSA-84mw-qh6q-v842

Related

Published

2023-06-30T21:15:09Z

Modified

2024-10-12T11:03:58.034192Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Gradle is a build tool with a focus on build automation and support for multi-language development. In affected versions when unpacking Tar archives, Gradle did not check that files could be written outside of the unpack location. This could lead to important files being overwritten anywhere the Gradle process has write permissions. For a build reading Tar entries from a Tar archive, this issue could allow Gradle to disclose information from sensitive files through an arbitrary file read. To exploit this behavior, an attacker needs to either control the source of an archive already used by the build or modify the build to interact with a malicious archive. It is unlikely that this would go unnoticed. A fix has been released in Gradle 7.6.2 and 8.2 to protect against this vulnerability. Starting from these versions, Gradle will refuse to handle Tar archives which contain path traversal elements in a Tar entry name. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Impact

This is a path traversal vulnerability when Gradle deals with Tar archives, often referenced as TarSlip, a variant of ZipSlip.

When unpacking Tar archives, Gradle did not check that files could be written outside of the unpack location. This could lead to important files being overwritten anywhere the Gradle process has write permissions.
For a build reading Tar entries from a Tar archive, this issue could allow Gradle to disclose information from sensitive files through an arbitrary file read.

To exploit this behavior, an attacker needs to either control the source of an archive already used by the build or modify the build to interact with a malicious archive. It is unlikely that this would go unnoticed.

Gradle uses Tar archives for its Build Cache. These archives are safe when created by Gradle. But if an attacker had control of a remote build cache server, they could inject malicious build cache entries that leverage this vulnerability. This attack vector could also be exploited if a man-in-the-middle can be performed between the remote cache and the build.

Patches

A fix has been released in Gradle 7.6.2 and 8.2 to protect against this vulnerability. Starting from these versions, Gradle will refuse to handle Tar archives which contain path traversal elements in a Tar entry name.

It is recommended that users upgrade to a patched version.

Workarounds

There is no workaround.

If your build deals with Tar archives that you do not fully trust, you need to inspect them to confirm they do not attempt to leverage this vulnerability.
If you use the Gradle remote build cache, make sure only trusted parties have write access to it and that connections to the remote cache are properly secured.

References

References

Affected packages

Debian:11 / gradle

Package

Name: gradle
Purl: pkg:deb/debian/gradle?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.4.1-13

4.4.1-14

4.4.1-15

4.4.1-16

4.4.1-17

4.4.1-18

4.4.1-19

4.4.1-20

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / gradle

Package

Name: gradle
Purl: pkg:deb/debian/gradle?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.4.1-18

4.4.1-19

4.4.1-20

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / gradle

Package

Name: gradle
Purl: pkg:deb/debian/gradle?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.4.1-18

4.4.1-19

4.4.1-20

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/gradle/gradle

Affected ranges

Type: GIT
Repo: https://github.com/gradle/gradle
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

1096b309520a8c315e3b6109a6526de4eabcb879

Fixed

2e5c34d57d0c0b7f0e8b039a192b91e5c8249d91

Affected versions

REL-0.*

REL-0.8

REL-0.9-preview-1

REL-0.9-preview-2

REL-0.9-preview-3

REL-0.9-rc-1

REL_0.*

REL_0.9

REL_0.9-rc-2

REL_0.9-rc-3

REL_0.9.1

REL_0.9.2

REL_1.*

REL_1.0

REL_1.0-milestone-1

REL_1.0-milestone-2

REL_1.0-milestone-3

REL_1.0-milestone-4

REL_1.0-milestone-5

REL_1.0-milestone-6

REL_1.0-milestone-7

REL_1.0-milestone-8

REL_1.0-milestone-8a

REL_1.0-milestone-9

REL_1.0-rc-1

REL_1.0-rc-2

REL_1.0-rc-3

REL_1.1

REL_1.1-rc-1

REL_1.1-rc-2

REL_1.10

REL_1.10-rc-1

REL_1.10-rc-2

REL_1.11

REL_1.11-rc-1

REL_1.12

REL_1.12-rc-1

REL_1.12-rc-2

REL_1.2

REL_1.2-rc-1

REL_1.3

REL_1.3-rc-1

REL_1.3-rc-2

REL_1.4

REL_1.4-rc-1

REL_1.4-rc-2

REL_1.4-rc-3

REL_1.5

REL_1.5-rc-1

REL_1.5-rc-2

REL_1.5-rc-3

REL_1.6

REL_1.6-rc-1

REL_1.7

REL_1.7-rc-1

REL_1.7-rc-2

REL_1.8

REL_1.8-rc-1

REL_1.8-rc-2

REL_1.9

REL_1.9-rc-1

REL_1.9-rc-2

REL_1.9-rc-3

REL_1.9-rc-4

REL_2.*

REL_2.0

REL_2.0-rc-1

REL_2.0-rc-2

REL_2.1

REL_2.1-rc-1

REL_2.1-rc-2

REL_2.1-rc-3

REL_2.1-rc-4

REL_2.10

REL_2.10-rc-1

REL_2.10-rc-2

REL_2.11

REL_2.11-rc-1

REL_2.11-rc-2

REL_2.11-rc-3

REL_2.12

REL_2.12-rc-1

REL_2.13

REL_2.13-rc-1

REL_2.13-rc-2

REL_2.14

REL_2.14-rc-1

REL_2.14-rc-2

REL_2.14-rc-3

REL_2.14-rc-4

REL_2.14-rc-5

REL_2.14-rc-6

REL_2.14.1

REL_2.14.1-rc-1

REL_2.14.1-rc-2

REL_2.2

REL_2.2-rc-1

REL_2.2-rc-2

REL_2.2.1

REL_2.2.1-rc-1

REL_2.3

REL_2.3-rc-1

REL_2.3-rc-2

REL_2.3-rc-3

REL_2.3-rc-4

REL_2.4

REL_2.4-rc-1

REL_2.4-rc-2

REL_2.5

REL_2.5-rc-1

REL_2.5-rc-2

REL_2.6

REL_2.6-rc-1

REL_2.6-rc-2

REL_2.7

REL_2.7-rc-1

REL_2.7-rc-2

REL_2.8

REL_2.8-rc-1

REL_2.8-rc-2

REL_2.9

REL_2.9-rc-1

REL_3.*

REL_3.0

REL_3.0-milestone-1

REL_3.0-milestone-2

REL_3.0-rc-1

REL_3.0-rc-2

REL_3.1

REL_3.1-rc-1

REL_3.2

REL_3.2-rc-1

REL_3.2-rc-2

REL_3.2-rc-3

REL_3.2.1

REL_3.3

REL_3.3-rc-1

REL_3.4

REL_3.4-rc-2

REL_3.4-rc-3

REL_3.4.1

REL_3.5

REL_3.5-rc-1

REL_3.5-rc-2

REL_3.5-rc-3

REL_3.5.1

REL_4.*

REL_4.0

REL_4.0-milestone-1

REL_4.0-milestone-2

REL_4.0-rc-1

REL_4.0-rc-2

REL_4.0-rc-3

REL_4.0.1

REL_4.0.2

REL_4.1

REL_4.1-milestone-1

REL_4.1-rc-1

REL_4.1-rc-2

REL_4.2

REL_4.2-rc-1

REL_4.2-rc-2

REL_4.2.1

REL_4.3

REL_4.3-rc-1

REL_4.3-rc-2

REL_4.3-rc-3

REL_4.3-rc-4

REL_4.3.1

REL_4.4

REL_4.4-rc-1

REL_4.4-rc-2

REL_4.4-rc-3

REL_4.4-rc-4

REL_4.4-rc-5

REL_4.4-rc-6

v0.*

v0.8.0

v0.9.0

v0.9.0-RC1

v0.9.0-RC2

v0.9.0-RC3

v0.9.1

v0.9.2

v1.*

v1.0.0

v1.0.0-M1

v1.0.0-M2

v1.0.0-M3

v1.0.0-M4

v1.0.0-M5

v1.0.0-M6

v1.0.0-M7

v1.0.0-M8

v1.0.0-M8a

v1.0.0-M9

v1.0.0-RC1

v1.0.0-RC2

v1.0.0-RC3

v1.1.0

v1.1.0-RC1

v1.1.0-RC2

v1.10.0

v1.10.0-RC1

v1.10.0-RC2

v1.11.0

v1.11.0-RC1

v1.12.0

v1.12.0-RC1

v1.12.0-RC2

v1.2.0

v1.2.0-RC1

v1.3.0

v1.3.0-RC1

v1.3.0-RC2

v1.4.0

v1.4.0-RC1

v1.4.0-RC2

v1.4.0-RC3

v1.5.0

v1.5.0-RC1

v1.5.0-RC2

v1.5.0-RC3

v1.6.0

v1.6.0-RC1

v1.7.0

v1.7.0-RC1

v1.7.0-RC2

v1.8.0

v1.8.0-RC1

v1.8.0-RC2

v1.9.0

v1.9.0-RC1

v1.9.0-RC2

v1.9.0-RC3

v1.9.0-RC4

v2.*

v2.0.0

v2.0.0-RC1

v2.0.0-RC2

v2.1.0

v2.1.0-RC1

v2.1.0-RC2

v2.1.0-RC3

v2.1.0-RC4

v2.10.0

v2.10.0-RC1

v2.10.0-RC2

v2.11.0

v2.11.0-RC1

v2.11.0-RC2

v2.11.0-RC3

v2.12.0

v2.12.0-RC1

v2.13.0

v2.13.0-RC1

v2.13.0-RC2

v2.14.0

v2.14.0-RC1

v2.14.0-RC2

v2.14.0-RC3

v2.14.0-RC4

v2.14.0-RC5

v2.14.0-RC6

v2.14.1

v2.14.1-RC1

v2.14.1-RC2

v2.2.0

v2.2.0-RC1

v2.2.0-RC2

v2.2.1

v2.2.1-RC1

v2.3.0

v2.3.0-RC1

v2.3.0-RC2

v2.3.0-RC3

v2.3.0-RC4

v2.4.0

v2.4.0-RC1

v2.4.0-RC2

v2.5.0

v2.5.0-RC1

v2.5.0-RC2

v2.6.0

v2.6.0-RC1

v2.6.0-RC2

v2.7.0

v2.7.0-RC1

v2.7.0-RC2

v2.8.0

v2.8.0-RC1

v2.8.0-RC2

v2.9.0

v2.9.0-RC1

v3.*

v3.0.0

v3.0.0-M1

v3.0.0-M2

v3.0.0-RC1

v3.0.0-RC2

v3.1.0

v3.1.0-RC1

v3.2.0

v3.2.0-RC1

v3.2.0-RC2

v3.2.0-RC3

v3.2.1

v3.3.0

v3.3.0-RC1

v3.4.0

v3.4.0-RC1

v3.4.0-RC2

v3.4.0-RC3

v3.4.1

v3.5.0

v3.5.0-RC1

v3.5.0-RC2

v3.5.0-RC3

v3.5.1

v4.*

v4.0.0

v4.0.0-M1

v4.0.0-M2

v4.0.0-RC1

v4.0.0-RC2

v4.0.0-RC3

v4.0.0-milestone-1

v4.0.1

v4.0.2

v4.1.0

v4.1.0-M1

v4.1.0-RC1

v4.1.0-RC2

v4.10.0

v4.10.0-RC1

v4.10.0-RC2

v4.10.0-RC3

v4.10.1

v4.10.2

v4.2.0

v4.2.0-RC1

v4.2.0-RC2

v4.2.1

v4.3.0

v4.3.0-RC1

v4.3.0-RC2

v4.3.0-RC3

v4.3.0-RC4

v4.3.1

v4.4.0

v4.4.0-RC1

v4.4.0-RC2

v4.4.0-RC3

v4.4.0-RC4

v4.4.0-RC5

v4.4.0-RC6

v4.4.1

v4.5.0

v4.5.0-RC1

v4.5.0-RC2

v4.5.1

v4.6.0

v4.6.0-RC1

v4.6.0-RC2

v4.7.0

v4.7.0-RC1

v4.7.0-RC2

v4.8.0

v4.8.0-RC1

v4.8.0-RC2

v4.8.0-RC3

v4.8.1

v4.9.0

v4.9.0-RC1

v4.9.0-RC2

v5.*

v5.0.0

v5.0.0-M1

v5.0.0-RC1

v5.0.0-RC2

v5.0.0-RC3

v5.0.0-RC4

v5.0.0-RC5

v5.1.0

v5.1.0-M1

v5.1.0-RC1

v5.1.0-RC2

v5.1.0-RC3

v5.1.1

v5.2.0

v5.2.0-RC1

v5.2.1

v5.3.0

v5.3.0-RC1

v5.3.0-RC2

v5.3.0-RC3

v5.3.1

v5.4.0

v5.4.0-RC1

v5.4.1

v5.5.0

v5.5.0-RC1

v5.5.0-RC2

v5.5.0-RC3

v5.5.0-RC4

v5.5.1

v5.6.0

v5.6.0-RC1

v5.6.0-RC2

v5.6.1

v5.6.2

v5.6.3

v5.6.4

v6.*

v6.0.0

v6.0.0-RC1

v6.0.0-RC2

v6.0.0-RC3

v6.0.1

v6.1.0

v6.1.0-M1

v6.1.0-M2

v6.1.0-M3

v6.1.0-RC1

v6.1.0-RC2

v6.1.0-RC3

v6.1.1

v6.2.0

v6.2.0-RC1

v6.2.0-RC2

v6.2.0-RC3

v6.2.1

v6.2.2

v6.3.0

v6.3.0-RC1

v6.3.0-RC2

v6.3.0-RC3

v6.3.0-RC4

v6.4.0

v6.4.0-RC1

v6.4.0-RC2

v6.4.0-RC3

v6.4.0-RC4

v6.4.1

v6.5.0

v6.5.0-M1

v6.5.0-M2

v6.5.0-RC1

v6.5.1

v6.6.0

v6.6.0-M1

v6.6.0-M2

v6.6.0-M3

v6.6.0-RC1

v6.6.0-RC2

v6.6.0-RC3

v6.6.0-RC4

v6.6.0-RC5

v6.6.0-RC6

v6.6.1

v6.7.0

v6.7.0-RC1

v6.7.0-RC2

v6.7.0-RC3

v6.7.0-RC4

v6.7.0-RC5

v6.7.1

v6.8.0

v6.8.0-M1

v6.8.0-M2

v6.8.0-M3

v6.8.0-RC1

v6.8.0-RC2

v6.8.0-RC3

v6.8.0-RC4

v6.8.0-RC5

v6.8.1

v6.8.2

v6.8.3

v7.*

v7.0.0

v7.0.0-M1

v7.0.0-M2

v7.0.0-M3

v7.0.0-RC1

v7.0.0-RC2

v7.0.1

v7.0.2

v7.1.0

v7.1.0-RC1

v7.1.0-RC2

v7.1.1

v7.2.0

v7.2.0-RC1

v7.2.0-RC2

v7.2.0-RC3

v7.3.0

v7.3.0-RC1

v7.3.0-RC2

v7.3.0-RC3

v7.3.0-RC4

v7.3.0-RC5

v7.3.1

v7.3.2

v7.3.3

v7.3.3-RC1

v7.4.0

v7.4.0-RC1

v7.4.0-RC2

v7.4.1

v7.4.2

v7.5.0

v7.5.0-M1

v7.5.0-RC1

v7.5.0-RC2

v7.5.0-RC3

v7.5.0-RC4

v7.5.0-RC5

v7.5.1

v7.6.0

v7.6.0-M1

v7.6.0-RC1

v7.6.0-RC2

v7.6.0-RC3

v7.6.0-RC4

v7.6.1

v8.*

v8.0.0

v8.0.0-M1

v8.0.0-M2

v8.0.0-M3

v8.0.0-M4

v8.0.0-M5

v8.0.0-M6

v8.0.0-RC1

v8.0.0-RC2

v8.0.0-RC3

v8.0.0-RC4

v8.0.0-RC5

v8.0.1

v8.0.2

v8.1.0

v8.1.0-RC1

v8.1.0-RC2

v8.1.0-RC3

v8.1.0-RC4

v8.1.1

v8.2.0-M1

v8.2.0-RC1

v8.2.0-RC2