CVE-2022-23630 — Inclusion of Functionality from Untrusted Control Sphere in Gradle

CWE-829 — Inclusion of Functionality from Untrusted Control Sphere3 documents3 sources

Severity

7.5HIGHNVD

EPSS

0.6%

top 30.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gradle Debian Gradle

Timeline

PublishedFeb 10

Description

Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, Gradle may skip that verification and accept a dependency that would otherwise fail the build as an untrusted external artifact. This occurs when dependency verification is disabled on one or more configurations and those configurations have common dependencies with other configurations that have dependency verification enabled. If the configuration that has dependency verification …

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages3 packages

▶NVDgradle/gradle6.2.0 — 7.3.3

▶CVEListV5gradle/gradle>= 6.2, < 7.4

▶debiandebian/gradle

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2022-23630: Gradle is a build tool with a focus on build automation and support for multi-language development↗2022-02-10

▶

📋Vendor Advisories

Debian

CVE-2022-23630: gradle - Gradle is a build tool with a focus on build automation and support for multi-la...↗2022

▶