CVE-2023-35947
CVSS 3.1 Score 8.1 of 10 (high)
Details
Summary
CVE-2023-35947 is a path traversal vulnerability in Gradle, a build tool used for automation and multi-language development. In affected versions, Gradle does not verify write permissions when unpacking Tar archives, potentially allowing important files to be overwritten and sensitive information to be disclosed through arbitrary file reads. An attacker can exploit this issue by controlling the source of an archive used by the build or modifying it to interact with a malicious archive. This behavior could lead to data leakage or unauthorized file modifications. Gradle versions 7.6.2 and 8.2 include a fix that prevents handling of Tar archives with path traversal elements in Tar entry names. Users are strongly advised to upgrade to a patched version to mitigate this vulnerability. No known workarounds exist, and build security should be enhanced through inspections of untrusted Tar archives and proper security configuration for remote build caches. This vulnerability, also known as TarSlip, can potentially affect Gradle's build cache, which can be exploited if an attacker controls a remote build cache server or performs a man-in-the-middle attack between the remote cache and the build. This issue can lead to serious consequences, including data leaks and unauthorized file modifications. (Source: CVE-2023-35947 description)
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Products
- Gradle
Affected Vendors
- Gradle