CVE-2022-31156 — Inclusion of Functionality from Untrusted Control Sphere in Gradle

CWE-829 — Inclusion of Functionality from Untrusted Control Sphere CWE-347 — Improper Verification of Cryptographic Signature4 documents4 sources

Severity

4.4MEDIUMNVD

EPSS

0.2%

top 58.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gradle Debian Gradle

Timeline

PublishedJul 14

Description

Gradle is a build tool. Dependency verification is a security feature in Gradle Build Tool that was introduced to allow validation of external dependencies either through their checksum or cryptographic signatures. In versions 6.2 through 7.4.2, there are some cases in which Gradle may skip that verification and accept a dependency that would otherwise fail the build as an untrusted external artifact. This can occur in two ways. When signature verification is disabled but the verification metada…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:NExploitability: 0.7 | Impact: 3.6

Affected Packages3 packages

▶NVDgradle/gradle6.2.0 — 7.5.0

▶CVEListV5gradle/gradle>= 6.2, <= 7.4.2

▶debiandebian/gradle

🔴Vulnerability Details

OSV

CVE-2022-31156: Gradle is a build tool↗2022-07-14

▶

📋Vendor Advisories

Red Hat

gradle: Dependency verification can ignore checksum verification when signature verification cannot be performed↗2022-07-14

▶

Debian

CVE-2022-31156: gradle - Gradle is a build tool. Dependency verification is a security feature in Gradle ...↗2022

▶