CVE-2023-35946 — Path Traversal in Gradle

CWE-22 — Path Traversal CWE-829 — Inclusion of Functionality from Untrusted Control Sphere4 documents4 sources

Severity

5.5MEDIUMNVD

EPSS

0.1%

top 71.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gradle Debian Gradle

Timeline

PublishedJun 30

Description

Gradle is a build tool with a focus on build automation and support for multi-language development. When Gradle writes a dependency into its dependency cache, it uses the dependency's coordinates to compute a file location. With specially crafted dependency coordinates, Gradle can be made to write files into an unintended location. The file may be written outside the dependency cache or over another file in the dependency cache. This vulnerability could be used to poison the dependency cache or …

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages3 packages

▶NVDgradle/gradle8.0.0 — 8.2.0+1

▶CVEListV5gradle/gradle>= 8.0, < 8.2

▶debiandebian/gradle

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2023-35946: Gradle is a build tool with a focus on build automation and support for multi-language development↗2023-06-30

▶

📋Vendor Advisories

Red Hat

gradle: Dependency cache path traversal↗2023-06-30

▶

Debian

CVE-2023-35946: gradle - Gradle is a build tool with a focus on build automation and support for multi-la...↗2023

▶