CVE-2023-26053
Gradle usage of long IDs for PGP keys opens potential for collision attacks
Severity Score
Exploit Likelihood
Affected Versions
2Public Exploits
0Exploited in Wild
-Decision
Descriptions
Gradle is a build tool with a focus on build automation and support for multi-language development. This is a collision attack on long IDs (64bits) for PGP keys. Users of dependency verification in Gradle are vulnerable if they use long IDs for PGP keys in a `trusted-key` or `pgp` element in their dependency verification metadata file. The fix is to fail dependency verification if anything but a fingerprint is used in a trust element in dependency verification metadata. The problem is fixed in Gradle 8.0 and above. The problem is also patched in Gradle 6.9.4 and 7.6.1. As a workaround, use only full fingerprint IDs for `trusted-key` or `pgp` element in the metadata is a protection against this issue.
This release of Red Hat build of Quarkus 2.13.8 includes security updates, bug fixes, and enhancements. Issues addressed include cross site request forgery, information leakage, insecure permissions, and traversal vulnerabilities.
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2023-02-17 CVE Reserved
- 2023-03-02 CVE Published
- 2025-03-05 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-829: Inclusion of Functionality from Untrusted Control Sphere