CVE-2023-42445XML External Entity (XXE) Injection in Gradle

CWE-611XML External Entity (XXE) Injection6 documents5 sources
Severity
5.3MEDIUMNVD
EPSS
0.4%
top 41.46%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
GradleDebian Gradle
Timeline
PublishedOct 6

Description

Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, when Gradle parses XML files, resolving XML external entities is not disabled. Combined with an Out Of Band XXE attack (OOB-XXE), just parsing XML can lead to exfiltration of local text files to a remote server. Gradle parses XML files for several purposes. Most of the time, Gradle parses XML files it generated or were already present locally. Only Ivy XML descriptors and Maven POM

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages3 packages

CVEListV5gradle/gradle< 8.4
NVDgradle/gradle8.0.08.4.0+1
debiandebian/gradle

🔴Vulnerability Details

1
OSV
CVE-2023-42445: Gradle is a build tool with a focus on build automation and support for multi-language development2023-10-06

📋Vendor Advisories

2
Red Hat
gradle: Possible local text file exfiltration by XML External entity injection2023-10-06
Debian
CVE-2023-42445: gradle - Gradle is a build tool with a focus on build automation and support for multi-la...2023

🕵️Threat Intelligence

2
Wiz
CVE-2026-22865 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-22816 Impact, Exploitability, and Mitigation Steps | Wiz