CVE-2022-31156

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2022-31156
Gradle is a build tool. Dependency verification is a security feature in Gradle Build Tool that was introduced to allow validation of external dependencies either through their checksum or cryptographic signatures. In versions 6.2 through 7.4.2, there are some cases in which Gradle may skip that verification and accept a dependency that would otherwise fail the build as an untrusted external artifact. This can occur in two ways. When signature verification is disabled but the verification metadata contains entries for dependencies that only have a `gpg` element but no `checksum` element. When signature verification is enabled, the verification metadata contains entries for dependencies with a `gpg` element but there is no signature file on the remote repository. In both cases, the verification will accept the dependency, skipping signature verification and not complaining that the dependency has no checksum entry. For builds that are vulnerable, there are two risks. Gradle could download a malicious binary from a repository outside your organization due to name squatting. For those still using HTTP only and not HTTPS for downloading dependencies, the build could download a malicious library instead of the expected one. Gradle 7.5 patches this issue by making sure to run checksum verification if signature verification cannot be completed, whatever the reason. Two workarounds are available: Remove all `gpg` elements from dependency verification metadata if you disable signature validation and/or avoid adding `gpg` entries for dependencies that do not have signature files.

6.6 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.7 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://docs.gradle.org/7.5/release-notes.html Release Notes Vendor Advisory
https://github.com/gradle/gradle/security/advisories/GHSA-j6wc-xfg8-jx2j Third Party Advisory
https://docs.gradle.org/7.5/release-notes.html Release Notes Vendor Advisory
https://github.com/gradle/gradle/security/advisories/GHSA-j6wc-xfg8-jx2j Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:gradle:gradle:*:*:*:*:*:*:*:*
History

21 Nov 2024, 07:04

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 4.4 		v2 : unknown
v3 : 6.6
References () https://docs.gradle.org/7.5/release-notes.html - Release Notes, Vendor Advisory () https://docs.gradle.org/7.5/release-notes.html - Release Notes, Vendor Advisory
References () https://github.com/gradle/gradle/security/advisories/GHSA-j6wc-xfg8-jx2j - Third Party Advisory () https://github.com/gradle/gradle/security/advisories/GHSA-j6wc-xfg8-jx2j - Third Party Advisory

24 Jul 2023, 13:16

Type Values Removed Values Added
CWE CWE-829 CWE-347
Information

Published : 2022-07-14 20:15

Updated : 2024-11-21 07:04

NVD link : CVE-2022-31156

Mitre link : CVE-2022-31156

CVE.ORG link : CVE-2022-31156

JSON object : View

Products Affected

gradle

  • gradle
CWE
CWE-829

Inclusion of Functionality from Untrusted Control Sphere

CWE-347

Improper Verification of Cryptographic Signature


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024