Main Vulnerability Database Vulnerabilities #VU60583

Code Injection in gradle - CVE-2022-23630

Published: February 14, 2022

Vulnerability identifier: #VU60583

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2022-23630

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
gradle

Software vendor:
Gradle

Description

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to a dependency verification bypass flaw in the ResolutionStrategy.disableDependencyVerification() function. A remote administrator can send a specially crafted binary and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install updates from vendor's website.

External links

https://docs.gradle.org/7.4/release-notes.html
https://github.com/gradle/gradle/commit/88ab9b652933bc3b2e3161b31ad8b8f4f0516351
https://github.com/gradle/gradle/security/advisories/GHSA-9pf5-88jw-3qgr

Code Injection in gradle - CVE-2022-23630

Description

Remediation

External links

Please verify you're human