cve-2022-31156
Vulnerability from cvelistv5
Published
2022-07-14 20:05
Modified
2024-08-03 07:11
Summary
Gradle's dependency verification can ignore checksum verification when signature verification cannot be performed
Impacted products
gradlegradle
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T07:11:39.622Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/gradle/gradle/security/advisories/GHSA-j6wc-xfg8-jx2j"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://docs.gradle.org/7.5/release-notes.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "gradle",
          "vendor": "gradle",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 6.2, \u003c= 7.4.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Gradle is a build tool. Dependency verification is a security feature in Gradle Build Tool that was introduced to allow validation of external dependencies either through their checksum or cryptographic signatures. In versions 6.2 through 7.4.2, there are some cases in which Gradle may skip that verification and accept a dependency that would otherwise fail the build as an untrusted external artifact. This can occur in two ways. When signature verification is disabled but the verification metadata contains entries for dependencies that only have a `gpg` element but no `checksum` element. When signature verification is enabled, the verification metadata contains entries for dependencies with a `gpg` element but there is no signature file on the remote repository. In both cases, the verification will accept the dependency, skipping signature verification and not complaining that the dependency has no checksum entry. For builds that are vulnerable, there are two risks. Gradle could download a malicious binary from a repository outside your organization due to name squatting. For those still using HTTP only and not HTTPS for downloading dependencies, the build could download a malicious library instead of the expected one. Gradle 7.5 patches this issue by making sure to run checksum verification if signature verification cannot be completed, whatever the reason. Two workarounds are available: Remove all `gpg` elements from dependency verification metadata if you disable signature validation and/or avoid adding `gpg` entries for dependencies that do not have signature files."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-829",
              "description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-07-14T20:05:11",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/gradle/gradle/security/advisories/GHSA-j6wc-xfg8-jx2j"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.gradle.org/7.5/release-notes.html"
        }
      ],
      "source": {
        "advisory": "GHSA-j6wc-xfg8-jx2j",
        "discovery": "UNKNOWN"
      },
      "title": "Gradle\u0027s dependency verification can ignore checksum verification when signature verification cannot be performed",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-31156",
          "STATE": "PUBLIC",
          "TITLE": "Gradle\u0027s dependency verification can ignore checksum verification when signature verification cannot be performed"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "gradle",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e= 6.2, \u003c= 7.4.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "gradle"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Gradle is a build tool. Dependency verification is a security feature in Gradle Build Tool that was introduced to allow validation of external dependencies either through their checksum or cryptographic signatures. In versions 6.2 through 7.4.2, there are some cases in which Gradle may skip that verification and accept a dependency that would otherwise fail the build as an untrusted external artifact. This can occur in two ways. When signature verification is disabled but the verification metadata contains entries for dependencies that only have a `gpg` element but no `checksum` element. When signature verification is enabled, the verification metadata contains entries for dependencies with a `gpg` element but there is no signature file on the remote repository. In both cases, the verification will accept the dependency, skipping signature verification and not complaining that the dependency has no checksum entry. For builds that are vulnerable, there are two risks. Gradle could download a malicious binary from a repository outside your organization due to name squatting. For those still using HTTP only and not HTTPS for downloading dependencies, the build could download a malicious library instead of the expected one. Gradle 7.5 patches this issue by making sure to run checksum verification if signature verification cannot be completed, whatever the reason. Two workarounds are available: Remove all `gpg` elements from dependency verification metadata if you disable signature validation and/or avoid adding `gpg` entries for dependencies that do not have signature files."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/gradle/gradle/security/advisories/GHSA-j6wc-xfg8-jx2j",
              "refsource": "CONFIRM",
              "url": "https://github.com/gradle/gradle/security/advisories/GHSA-j6wc-xfg8-jx2j"
            },
            {
              "name": "https://docs.gradle.org/7.5/release-notes.html",
              "refsource": "MISC",
              "url": "https://docs.gradle.org/7.5/release-notes.html"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-j6wc-xfg8-jx2j",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-31156",
    "datePublished": "2022-07-14T20:05:11",
    "dateReserved": "2022-05-18T00:00:00",
    "dateUpdated": "2024-08-03T07:11:39.622Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-31156\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-07-14T20:15:08.553\",\"lastModified\":\"2023-07-24T13:16:26.760\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"Gradle is a build tool. Dependency verification is a security feature in Gradle Build Tool that was introduced to allow validation of external dependencies either through their checksum or cryptographic signatures. In versions 6.2 through 7.4.2, there are some cases in which Gradle may skip that verification and accept a dependency that would otherwise fail the build as an untrusted external artifact. This can occur in two ways. When signature verification is disabled but the verification metadata contains entries for dependencies that only have a `gpg` element but no `checksum` element. When signature verification is enabled, the verification metadata contains entries for dependencies with a `gpg` element but there is no signature file on the remote repository. In both cases, the verification will accept the dependency, skipping signature verification and not complaining that the dependency has no checksum entry. For builds that are vulnerable, there are two risks. Gradle could download a malicious binary from a repository outside your organization due to name squatting. For those still using HTTP only and not HTTPS for downloading dependencies, the build could download a malicious library instead of the expected one. Gradle 7.5 patches this issue by making sure to run checksum verification if signature verification cannot be completed, whatever the reason. Two workarounds are available: Remove all `gpg` elements from dependency verification metadata if you disable signature validation and/or avoid adding `gpg` entries for dependencies that do not have signature files.\"},{\"lang\":\"es\",\"value\":\"Gradle es una herramienta de construcci\u00f3n. La verificaci\u00f3n de dependencias es una caracter\u00edstica de seguridad en la herramienta de construcci\u00f3n Gradle que fue introducida para permitir la comprobaci\u00f3n de las dependencias externas mediante su suma de comprobaci\u00f3n o de firmas criptogr\u00e1ficas. En versiones 6.2 hasta 7.4.2, se presentan algunos casos en los que Gradle puede omitir esa verificaci\u00f3n y aceptar una dependencia que, de otro modo, fallar\u00eda en la compilaci\u00f3n como un artefacto externo no confiable. Esto puede ocurrir de dos maneras. Cuando la verificaci\u00f3n de firmas est\u00e1 deshabilitada pero los metadatos de verificaci\u00f3n contienen entradas para dependencias que s\u00f3lo presentan un elemento \\\"gpg\\\" pero ning\u00fan elemento \\\"checksum\\\". Cuando la verificaci\u00f3n de firmas est\u00e1 habilitada, los metadatos de verificaci\u00f3n contienen entradas para dependencias con un elemento \\\"gpg\\\" pero no es presentado ning\u00fan archivo de firma en el repositorio remoto. En ambos casos, la verificaci\u00f3n aceptar\u00e1 la dependencia, omitiendo la verificaci\u00f3n de la firma y no quej\u00e1ndose de que la dependencia no presenta una entrada de suma de comprobaci\u00f3n. Para las construcciones que son vulnerables, se presentan dos riesgos. Gradle podr\u00eda descargar un binario malicioso de un repositorio fuera de su organizaci\u00f3n debido a la ocupaci\u00f3n de nombres. Para aquellos que todav\u00eda usan HTTP y no HTTPS para descargar dependencias, la compilaci\u00f3n podr\u00eda descargar una biblioteca maliciosa en lugar de la esperada. Gradle versi\u00f3n 7.5 parchea este problema al asegurarse de ejecutar la verificaci\u00f3n de la suma de comprobaci\u00f3n si la verificaci\u00f3n de la firma no puede completarse, sea cual sea el motivo. Se presentan dos mitigaciones disponibles: Eliminar todos los elementos \\\"gpg\\\" de los metadatos de verificaci\u00f3n de dependencias si es deshabilitada la comprobaci\u00f3n de firmas y/o evitar a\u00f1adir entradas \\\"gpg\\\" para las dependencias que no presentan archivos de firma\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\",\"baseScore\":4.4,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":0.7,\"impactScore\":3.6},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":6.6,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":0.7,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-347\"}]},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-829\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gradle:gradle:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2.0\",\"versionEndExcluding\":\"7.5.0\",\"matchCriteriaId\":\"F2F50EB8-F490-42D0-BD10-7E40394E1A17\"}]}]}],\"references\":[{\"url\":\"https://docs.gradle.org/7.5/release-notes.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/gradle/gradle/security/advisories/GHSA-j6wc-xfg8-jx2j\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.