2242538 – (CVE-2023-42445) CVE-2023-42445 gradle: Possible local text file exfiltration by XML External entity injection

Bug 2242538 (CVE-2023-42445) - CVE-2023-42445 gradle: Possible local text file exfiltration by XML External entity injection

Summary: CVE-2023-42445 gradle: Possible local text file exfiltration by XML External ...

Keywords:
Status:	NEW
Alias:	CVE-2023-42445
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2243031
Blocks:	2242537
TreeView+	depends on / blocked

Reported:	2023-10-06 19:43 UTC by Patrick Del Bello
Modified:	2024-02-01 03:42 UTC (History)
CC List:	46 users (show)
Fixed In Version:	gradle 7.6.3, gradle 8.4
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Gradle. In some cases, when Gradle parses XML files, resolving XML external entities is not disabled. Combined with an Out Of Band XXE attack (OOB-XXE), parsing XML can lead to the exfiltration of local text files to a remote server. In most cases, Gradle parses XML files it generated, or that were already present locally. Only Ivy XML descriptors and Maven POM files can be fetched from remote repositories and parsed by Gradle.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:7678	0	None	None	None	2023-12-06 23:30:56 UTC

Description Patrick Del Bello 2023-10-06 19:43:39 UTC

Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, when Gradle parses XML files, resolving XML external entities is not disabled. Combined with an Out Of Band XXE attack (OOB-XXE), just parsing XML can lead to exfiltration of local text files to a remote server. Gradle parses XML files for several purposes. Most of the time, Gradle parses XML files it generated or were already present locally. Only Ivy XML descriptors and Maven POM files can be fetched from remote repositories and parsed by Gradle. In Gradle 7.6.3 and 8.4, resolving XML external entities has been disabled for all use cases to protect against this vulnerability. Gradle will now refuse to parse XML files that have XML external entities.


https://github.com/gradle/gradle/releases/tag/v7.6.3
https://github.com/gradle/gradle/security/advisories/GHSA-mrff-q8qj-xvg8
https://github.com/gradle/gradle/releases/tag/v8.4.0

Comment 6 errata-xmlrpc 2023-12-06 23:30:53 UTC

This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.6.0

Via RHSA-2023:7678 https://access.redhat.com/errata/RHSA-2023:7678

Note You need to log in before you can comment on or make changes to this bug.

adupliak
aileenc
asoldano
bbaranow
bmaxwell
brian.stansberry
cdewolf
chazlett
chfoley
cmiranda
darran.lofthouse
dhanak
dkreling
dosoudil
eric.wittmann
fjuma
fmongiar
hhorak
ibek
ivassile
iweiss
janstey
jnethert
jorton
jrokos
jscholz
kverlaen
lgao
mizdebsk
mnovotny
mosmerov
msochure
mstefank
msvehla
nwallace
pantinor
pcongius
peholase
pjindal
pmackay
rguimara
rstancel
saroy
smaestri
swoodman
tom.jenkinson