2219506 – (CVE-2023-35947) CVE-2023-35947 gradle: path traversal while handling of tar archives

Bug 2219506 (CVE-2023-35947) - CVE-2023-35947 gradle: path traversal while handling of tar archives

Summary: CVE-2023-35947 gradle: path traversal while handling of tar archives

Keywords:
Status:	NEW
Alias:	CVE-2023-35947
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2219509
Blocks:	2219508
TreeView+	depends on / blocked

Reported:	2023-07-04 05:20 UTC by TEJ RATHI
Modified:	2023-11-15 09:45 UTC (History)
CC List:	27 users (show)
Fixed In Version:	Gradle 7.6.2, Gradle 8.2
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Gradle. When unpacking Tar archives, Gradle did not check that files could be written outside the unpack location. This issue could lead to important files being overwritten anywhere the Gradle process has write permissions. This flaw allows an attacker with control of an archive's source used by the build or capability to modify the build to interact with a malicious archive and overwrite existing archives or extract information from sensitive files.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description TEJ RATHI 2023-07-04 05:20:55 UTC

Gradle, when unpacking Tar archives, did not check that files could be written outside of the unpack location. This could lead to important files being overwritten anywhere the Gradle process has write permissions. For a build reading Tar entries from a Tar archive, this issue could allow Gradle to disclose information from sensitive files through an arbitrary file read. To exploit this behavior, an attacker needs to either control the source of an archive already used by the build or modify the build to interact with a malicious archive. It is unlikely that this would go unnoticed. A fix has been released in Gradle 7.6.2 and 8.2 to protect against this vulnerability. Starting from these versions, Gradle will refuse to handle Tar archives which contain path traversal elements in a Tar entry name. Users are advised to upgrade. There are no known workarounds for this vulnerability.

https://github.com/gradle/gradle/commit/1096b309520a8c315e3b6109a6526de4eabcb879
https://github.com/gradle/gradle/security/advisories/GHSA-84mw-qh6q-v842
https://github.com/gradle/gradle/commit/2e5c34d57d0c0b7f0e8b039a192b91e5c8249d91

Note You need to log in before you can comment on or make changes to this bug.

asoldano
bbaranow
bmaxwell
brian.stansberry
cdewolf
chazlett
darran.lofthouse
dkreling
dosoudil
fjuma
hhorak
ivassile
iweiss
jorton
lgao
mizdebsk
mosmerov
msochure
mstefank
msvehla
nwallace
peholase
pjindal
pmackay
rstancel
smaestri
tom.jenkinson