Debian Gradle vulnerabilities

CVE-2026-22816 [HIGH] CVE-2026-22816: gradle - Gradle is a build automation tool, and its native-platform tool provides Java bi... Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered one of these exceptions, Gradle would continue to the next repository in the list and pote

CVE-2026-22865 [HIGH] CVE-2026-22865: gradle - Gradle is a build automation tool, and its native-platform tool provides Java bi... Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered one of these exceptions, Gradle would continue to the next repository in the list and pote

CVE-2025-27148 [HIGH] CVE-2025-27148: gradle - Gradle is a build automation tool, and its native-platform tool provides Java bi... Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. On Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. This library initialization could be vulnerable to a local privilege escalation from an attacker quickly deleti

CVE-2023-35947 [MEDIUM] CVE-2023-35947: gradle - Gradle is a build tool with a focus on build automation and support for multi-la... Gradle is a build tool with a focus on build automation and support for multi-language development. In affected versions when unpacking Tar archives, Gradle did not check that files could be written outside of the unpack location. This could lead to important files being overwritten anywhere the Gradle process has write permissions. For a build reading Tar entries

CVE-2023-35946 [MEDIUM] CVE-2023-35946: gradle - Gradle is a build tool with a focus on build automation and support for multi-la... Gradle is a build tool with a focus on build automation and support for multi-language development. When Gradle writes a dependency into its dependency cache, it uses the dependency's coordinates to compute a file location. With specially crafted dependency coordinates, Gradle can be made to write files into an unintended location. The file may be written outside t

CVE-2023-42445 [MEDIUM] CVE-2023-42445: gradle - Gradle is a build tool with a focus on build automation and support for multi-la... Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, when Gradle parses XML files, resolving XML external entities is not disabled. Combined with an Out Of Band XXE attack (OOB-XXE), just parsing XML can lead to exfiltration of local text files to a remote server. Gradle parses XML files for several purp

CVE-2023-26053 [MEDIUM] CVE-2023-26053: gradle - Gradle is a build tool with a focus on build automation and support for multi-la... Gradle is a build tool with a focus on build automation and support for multi-language development. This is a collision attack on long IDs (64bits) for PGP keys. Users of dependency verification in Gradle are vulnerable if they use long IDs for PGP keys in a `trusted-key` or `pgp` element in their dependency verification metadata file. The fix is to fail dependency

CVE-2023-44387 [LOW] CVE-2023-44387: gradle - Gradle is a build tool with a focus on build automation and support for multi-la... Gradle is a build tool with a focus on build automation and support for multi-language development. When copying or archiving symlinked files, Gradle resolves them but applies the permissions of the symlink itself instead of the permissions of the linked file to the resulting file. This leads to files having too much permissions given that symlinks usually are world r

CVE-2022-23630 [HIGH] CVE-2022-23630: gradle - Gradle is a build tool with a focus on build automation and support for multi-la... Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, Gradle may skip that verification and accept a dependency that would otherwise fail the build as an untrusted external artifact. This occurs when dependency verification is disabled on one or more configurations and those configurations have common depen

CVE-2022-31156 [MEDIUM] CVE-2022-31156: gradle - Gradle is a build tool. Dependency verification is a security feature in Gradle ... Gradle is a build tool. Dependency verification is a security feature in Gradle Build Tool that was introduced to allow validation of external dependencies either through their checksum or cryptographic signatures. In versions 6.2 through 7.4.2, there are some cases in which Gradle may skip that verification and accept a dependency that would otherwise fail the bui

CVE-2021-29428 [HIGH] CVE-2021-29428: gradle - In Gradle before version 7.0, on Unix-like systems, the system temporary directo... In Gradle before version 7.0, on Unix-like systems, the system temporary directory can be created with open permissions that allow multiple users to create and delete files within it. Gradle builds could be vulnerable to a local privilege escalation from an attacker quickly deleting and recreating files in the system temporary directory. This vulnerability impacted b

CVE-2021-32751 [HIGH] CVE-2021-32751: gradle - Gradle is a build tool with a focus on build automation. In versions prior to 7.... Gradle is a build tool with a focus on build automation. In versions prior to 7.2, start scripts generated by the `application` plugin and the `gradlew` script are both vulnerable to arbitrary code execution when an attacker is able to change environment variables for the user running the script. This may impact those who use `gradlew` on Unix-like systems or use the

CVE-2021-29429 [MEDIUM] CVE-2021-29429: gradle - In Gradle before version 7.0, files created with open permissions in the system ... In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded into the system temporary directory first. Sensitive information cont

CVE-2021-29427 [HIGH] CVE-2021-29427: gradle - In Gradle from version 5.1 and before version 7.0 there is a vulnerability which... In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure and/or dependency poisoning. Repository content filtering is a security control Gradle introduced to help users specify what repositories are used to resolve specific dependencies. This feature was introduced in the wake of the "A Confusing Dependency"

CVE-2019-11065 [MEDIUM] CVE-2019-11065: gradle - Gradle versions from 1.4 to 5.3.1 use an insecure HTTP URL to download dependenc... Gradle versions from 1.4 to 5.3.1 use an insecure HTTP URL to download dependencies when the built-in JavaScript or CoffeeScript Gradle plugins are used. Dependency artifacts could have been maliciously compromised by a MITM attack against the ajax.googleapis.com web site. Scope: local bookworm: resolved (fixed in 4.4.1-10) bullseye: resolved (fixed in 4.4.1-10) fo

CVE-2019-16370 [MEDIUM] CVE-2019-16370: gradle - The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which... The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900. Scope: local bookworm: resolved (fixed in 4.4.1-18) bullseye: open forky: resolved (fixed in 4.4.1-18) sid: resolved (fixed in 4.4.1-18) trixie:

CVE-2019-15052 [CRITICAL] CVE-2019-15052: gradle - The HTTP client in Gradle before 5.6 sends authentication credentials originally... The HTTP client in Gradle before 5.6 sends authentication credentials originally destined for the configured host. If that host returns a 30x redirect, Gradle also sends those credentials to all subsequent hosts that the request redirects to. This is similar to CVE-2018-1000007. Scope: local bookworm: open bullseye: open forky: open sid: open trixie: open

CVE-2016-6199 [CRITICAL] CVE-2016-6199: gradle - ObjectSocketWrapper.java in Gradle 2.12 allows remote attackers to execute arbit... ObjectSocketWrapper.java in Gradle 2.12 allows remote attackers to execute arbitrary code via a crafted serialized object. Scope: local bookworm: resolved (fixed in 2.13-1) bullseye: resolved (fixed in 2.13-1) forky: resolved (fixed in 2.13-1) sid: resolved (fixed in 2.13-1) trixie: resolved (fixed in 2.13-1)