CVE-2023-35947 — Path Traversal in Gradle

CWE-22 — Path Traversal4 documents4 sources

Severity

8.1HIGHNVD

EPSS

0.1%

top 69.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gradle Debian Gradle

Timeline

PublishedJun 30

Description

Gradle is a build tool with a focus on build automation and support for multi-language development. In affected versions when unpacking Tar archives, Gradle did not check that files could be written outside of the unpack location. This could lead to important files being overwritten anywhere the Gradle process has write permissions. For a build reading Tar entries from a Tar archive, this issue could allow Gradle to disclose information from sensitive files through an arbitrary file read. To exp…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5gradle/gradle< 7.6.1+1

▶NVDgradle/gradle8.0.0 — 8.2.0+1

▶debiandebian/gradle

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2023-35947: Gradle is a build tool with a focus on build automation and support for multi-language development↗2023-06-30

▶

📋Vendor Advisories

Red Hat

gradle: path traversal while handling of tar archives↗2023-06-30

▶

Debian

CVE-2023-35947: gradle - Gradle is a build tool with a focus on build automation and support for multi-la...↗2023

▶