CVE-2022-31156 – Gradle's dependency verification can ignore checksum verification when signature verification cannot be performed
https://notcve.org/view.php?id=CVE-2022-31156
Gradle is a build tool. Dependency verification is a security feature in Gradle Build Tool that was introduced to allow validation of external dependencies either through their checksum or cryptographic signatures. In versions 6.2 through 7.4.2, there are some cases in which Gradle may skip that verification and accept a dependency that would otherwise fail the build as an untrusted external artifact. This can occur in two ways. When signature verification is disabled but the verification metadata contains entries for dependencies that only have a `gpg` element but no `checksum` element. • https://docs.gradle.org/7.5/release-notes.html https://github.com/gradle/gradle/security/advisories/GHSA-j6wc-xfg8-jx2j • CWE-347: Improper Verification of Cryptographic Signature CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVE-2022-30587
https://notcve.org/view.php?id=CVE-2022-30587
Gradle Enterprise through 2022.2.2 has Incorrect Access Control that leads to information disclosure. Gradle Enterprise versiones hasta 2022.2.2 , presenta un Control de Acceso Incorrecto que conlleva a una divulgación de información • https://security.gradle.com https://security.gradle.com/advisory/2022-10 • CWE-522: Insufficiently Protected Credentials •
CVE-2022-30586
https://notcve.org/view.php?id=CVE-2022-30586
Gradle Enterprise through 2022.2.2 has Incorrect Access Control that leads to code execution. Gradle Enterprise versiones hasta 2022.2.2, presenta un Control de Acceso Incorrecto que conlleva a una ejecución de código • https://security.gradle.com https://security.gradle.com/advisory/2022-09 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2022-23630 – Dependency verification bypass in Gradle
https://notcve.org/view.php?id=CVE-2022-23630
Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, Gradle may skip that verification and accept a dependency that would otherwise fail the build as an untrusted external artifact. This occurs when dependency verification is disabled on one or more configurations and those configurations have common dependencies with other configurations that have dependency verification enabled. If the configuration that has dependency verification disabled is resolved first, Gradle does not verify the common dependencies for the configuration that has dependency verification enabled. Gradle 7.4 fixes that issue by validating artifacts at least once if they are present in a resolved configuration that has dependency verification active. • https://docs.gradle.org/7.4/release-notes.html https://github.com/gradle/gradle/commit/88ab9b652933bc3b2e3161b31ad8b8f4f0516351 https://github.com/gradle/gradle/security/advisories/GHSA-9pf5-88jw-3qgr • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVE-2021-41586
https://notcve.org/view.php?id=CVE-2021-41586
In Gradle Enterprise before 2021.1.3, an attacker with the ability to perform SSRF attacks can potentially reset the system user password. En Gradle Enterprise versiones anteriores a 2021.1.3, un atacante con la habilidad de llevar a cabo ataques de tipo SSRF puede potencialmente restablecer la contraseña del usuario del sistema. • https://security.gradle.com/advisory/2021-05 • CWE-918: Server-Side Request Forgery (SSRF) •