CVE-2022-23630 - Gradle is a build tool with a focus on build automation and support for multi-language development.

CVE-2022-23630

Summary

Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, Gradle may skip that verification and accept a dependency that would otherwise fail the build as an untrusted external artifact. This occurs when dependency verification is disabled on one or more configurations and those configurations have common dependencies with other configurations that have dependency verification enabled. If the configuration that has dependency verification disabled is resolved first, Gradle does not verify the common dependencies for the configuration that has dependency verification enabled. Gradle 7.4 fixes that issue by validating artifacts at least once if they are present in a resolved configuration that has dependency verification active. For users who cannot update either do not use `ResolutionStrategy.disableDependencyVerification()` and do not use plugins that use that method to disable dependency verification for a single configuration or make sure resolution of configuration that disable that feature do not happen in builds that resolve configuration where the feature is enabled.

References

Vulnerable Configurations

cpe:2.3:a:gradle:gradle:6.2.0:-:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.2.0:-:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.2.0:rc1:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.2.0:rc1:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.2.0:rc2:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.2.0:rc2:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.2.0:rc3:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.2.0:rc3:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.2.1:*:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.2.1:*:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.2.2:*:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.2.2:*:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.3.0:-:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.3.0:-:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.3.0:rc1:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.3.0:rc1:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.3.0:rc2:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.3.0:rc2:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.3.0:rc3:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.3.0:rc3:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.3.0:rc4:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.3.0:rc4:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.4.0:-:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.4.0:-:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.4.0:rc1:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.4.0:rc1:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.4.0:rc2:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.4.0:rc2:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.4.0:rc3:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.4.0:rc3:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.4.0:rc4:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.4.0:rc4:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.4.1:*:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.4.1:*:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.5.0:-:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.5.0:-:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.5.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.5.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.5.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.5.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.5.0:rc1:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.5.0:rc1:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.5.1:*:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.5.1:*:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.6.0:-:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.6.0:-:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.6.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.6.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.6.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.6.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.6.0:milestone3:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.6.0:milestone3:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.6.0:rc1:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.6.0:rc1:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.6.0:rc2:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.6.0:rc2:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.6.0:rc3:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.6.0:rc3:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.6.0:rc4:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.6.0:rc4:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.6.0:rc5:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.6.0:rc5:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.6.0:rc6:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.6.0:rc6:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.6.1:*:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.6.1:*:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.7.0:-:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.7.0:-:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.7.0:rc1:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.7.0:rc1:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.7.0:rc2:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.7.0:rc2:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.7.0:rc3:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.7.0:rc3:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.7.0:rc4:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.7.0:rc4:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.7.0:rc5:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.7.0:rc5:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.7.1:*:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.7.1:*:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.8.0:-:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.8.0:-:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.8.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.8.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.8.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.8.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.8.0:milestone3:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.8.0:milestone3:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.8.0:rc1:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.8.0:rc1:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.8.0:rc2:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.8.0:rc2:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.8.0:rc3:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.8.0:rc3:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.8.0:rc4:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.8.0:rc4:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.8.0:rc5:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.8.0:rc5:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.8.1:*:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.8.1:*:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.8.2:*:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.8.2:*:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.8.3:*:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.8.3:*:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.9.0:-:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.9.0:-:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.9.0:rc1:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.9.0:rc1:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.9.0:rc2:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:6.9.0:rc2:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.0.0:-:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.0.0:-:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.0.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.0.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.0.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.0.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.0.0:milestone3:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.0.0:milestone3:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.0.1:*:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.0.1:*:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.0.2:*:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.0.2:*:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.1.0:-:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.1.0:-:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.1.0:rc1:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.1.0:rc1:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.1.0:rc2:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.1.0:rc2:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.1.1:*:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.1.1:*:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.2:*:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.2:*:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.2.0:-:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.2.0:-:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.2.0:rc1:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.2.0:rc1:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.2.0:rc2:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.2.0:rc2:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.2.0:rc3:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.2.0:rc3:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.3.0:-:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.3.0:-:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.3.0:rc1:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.3.0:rc1:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.3.0:rc2:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.3.0:rc2:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.3.0:rc3:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.3.0:rc3:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.3.0:rc5:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.3.0:rc5:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.3.1:*:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.3.1:*:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.3.2:*:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.3.2:*:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.3.3:-:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.3.3:-:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.3.3:rc1:*:*:*:*:*:*
cpe:2.3:a:gradle:gradle:7.3.3:rc1:*:*:*:*:*:*

CVSS

Base:	6.0 (as of 17-02-2022 - 17:41)
Impact:
Exploitability:

CWE

CWE-829

CAPEC

Force Use of Corrupted Files
This describes an attack where an application is forced to use a file that an attacker has corrupted. The result is often a denial of service caused by the application being unable to process the corrupted file, but other results, including the disabling of filters or access controls (if the application fails in an unsafe way rather than failing by locking down) or buffer overflows are possible.
Code Inclusion
An adversary exploits a weakness on the target to force arbitrary code to be retrieved locally or from a remote location and executed. This differs from code injection in that code injection involves the direct inclusion of code while code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.
DTD Injection
An attacker injects malicious content into an application's DTD in an attempt to produce a negative technical impact. DTDs are used to describe how XML documents are processed. Certain malformed DTDs (for example, those with excessive entity expansion as described in CAPEC 197) can cause the XML parsers that process the DTDs to consume excessive resources resulting in resource depletion.
PHP Local File Inclusion
The attacker loads and executes an arbitrary local PHP file on a target machine. The attacker could use this to try to load old versions of PHP files that have known vulnerabilities, to load PHP files that the attacker placed on the local machine during a prior attack, or to otherwise change the functionality of the targeted application in unexpected ways.
Local Code Inclusion
The attacker forces an application to load arbitrary code files from the local machine. The attacker could use this to try to load old versions of library files that have known vulnerabilities, to load files that the attacker placed on the local machine during a prior attack, or to otherwise change the functionality of the targeted application in unexpected ways.
Local Execution of Code
An adversary installs and executes malicious code on the target system in an effort to achieve a negative technical impact. Examples include rootkits, ransomware, spyware, adware, and others.
Remote Code Inclusion
The attacker forces an application to load arbitrary code files from a remote location. The attacker could use this to try to load old versions of library files that have known vulnerabilities, to load malicious files that the attacker placed on the remote machine, or to otherwise change the functionality of the targeted application in unexpected ways.
XML Entity Linking
An attacker creates an XML document that contains an external entity reference. External entity references can take the form of <!ENTITY name system "uri"> tags in a DTD. Because processors may not validate documents with external entities, there may be no checks on the nature of the reference in the external entity. This can allow an attacker to open arbitrary files or connections.

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	SINGLE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:M/Au:S/C:P/I:P/A:P

Last major update

17-02-2022 - 17:41

Published

10-02-2022 - 20:15

Last modified

17-02-2022 - 17:41