Headline
CVE-2023-44387: Incorrect permission assignment for symlinked files used in copy or archiving operations
Gradle is a build tool with a focus on build automation and support for multi-language development. When copying or archiving symlinked files, Gradle resolves them but applies the permissions of the symlink itself instead of the permissions of the linked file to the resulting file. This leads to files having too much permissions given that symlinks usually are world readable and writeable. While it is unlikely this results in a direct vulnerability for the impacted build, it may open up attack vectors depending on where build artifacts end up being copied to or un-archived. In versions 7.6.3, 8.4 and above, Gradle will now properly use the permissions of the file pointed at by the symlink to set permissions of the copied or archived file.
Impact
When copying files or creating archives, Gradle does not preserve symbolic links. Instead, Gradle resolves symbolic links to their underlying target file. The permissions of the new file are the permissions of the symbolic link instead of the permissions of the target file.
This can lead to files that have unintended permissions because symbolic links are usually world readable and writeable.
While it is unlikely this impacts the build directly, it may open attack vectors where build artifacts are used or extracted.
Patches
In Gradle 7.6.3 and 8.4, the permissions of the target file will be used when copying or archiving a symbolic link.
It is recommended that users upgrade to a patched version.
Workarounds
If you are unable to upgrade to a patched Gradle version, you should explicitly set permissions for any symbolic links when copying or creating an archive.
References
- CWE-732
- CVE-2023-34042: Incorrect Permission Assignment for spring-security.xsd
Related news
The spring-security.xsd file inside the spring-security-config jar is world writable which means that if it were extracted it could be written by anyone with access to the file system. While there are no known exploits, this is an example of “CWE-732: Incorrect Permission Assignment for Critical Resource” and could result in an exploit. Users should update to the latest version of Spring Security to mitigate any future exploits found around this issue.
Red Hat Security Advisory 2023-7678-03 - Red Hat AMQ Streams 2.6.0 is now available from the Red Hat Customer Portal. Issues addressed include XML injection, bypass, and open redirection vulnerabilities.