UBUNTU-CVE-2023-35946

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2023-35946
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-35946.json
JSON Data
https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2023-35946
Related
Published
2023-06-30T21:15:00Z
Modified
2024-10-15T14:11:37Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

Gradle is a build tool with a focus on build automation and support for multi-language development. When Gradle writes a dependency into its dependency cache, it uses the dependency's coordinates to compute a file location. With specially crafted dependency coordinates, Gradle can be made to write files into an unintended location. The file may be written outside the dependency cache or over another file in the dependency cache. This vulnerability could be used to poison the dependency cache or overwrite important files elsewhere on the filesystem where the Gradle process has write permissions. Exploiting this vulnerability requires an attacker to have control over a dependency repository used by the Gradle build or have the ability to modify the build's configuration. It is unlikely that this would go unnoticed. A fix has been released in Gradle 7.6.2 and 8.2 to protect against this vulnerability. Gradle will refuse to cache dependencies that have path traversal elements in their dependency coordinates. It is recommended that users upgrade to a patched version. If you are unable to upgrade to Gradle 7.6.2 or 8.2, dependency verification will make this vulnerability more difficult to exploit.

References

Affected packages

Ubuntu:Pro:16.04:LTS / gradle

Package

Name
gradle
Purl
pkg:deb/ubuntu/gradle?arch=src?distro=esm-apps/xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.5-3
2.7-1
2.7-2
2.7-3
2.10-1

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}

Ubuntu:Pro:18.04:LTS / gradle

Package

Name
gradle
Purl
pkg:deb/ubuntu/gradle?arch=src?distro=esm-apps/bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.2.1-3build2
3.2.1-4
3.2.1-5
3.4.1-4
3.4.1-6
3.4.1-7ubuntu1

4.*

4.4.1-5ubuntu2~18.04
4.4.1-5ubuntu2~18.04+esm1

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}

Ubuntu:20.04:LTS / gradle

Package

Name
gradle
Purl
pkg:deb/ubuntu/gradle?arch=src?distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.4.1-8
4.4.1-9
4.4.1-10

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}

Ubuntu:22.04:LTS / gradle

Package

Name
gradle
Purl
pkg:deb/ubuntu/gradle?arch=src?distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.4.1-13

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.10 / gradle

Package

Name
gradle
Purl
pkg:deb/ubuntu/gradle?arch=src?distro=oracular

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.4.1-20
4.4.1-20build1

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.04:LTS / gradle

Package

Name
gradle
Purl
pkg:deb/ubuntu/gradle?arch=src?distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.4.1-18
4.4.1-20

Ecosystem specific 

{
    "ubuntu_priority": "medium"
}