Headline
CVE-2023-42445: Release 7.6.3 · gradle/gradle
Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, when Gradle parses XML files, resolving XML external entities is not disabled. Combined with an Out Of Band XXE attack (OOB-XXE), just parsing XML can lead to exfiltration of local text files to a remote server. Gradle parses XML files for several purposes. Most of the time, Gradle parses XML files it generated or were already present locally. Only Ivy XML descriptors and Maven POM files can be fetched from remote repositories and parsed by Gradle. In Gradle 7.6.3 and 8.4, resolving XML external entities has been disabled for all use cases to protect against this vulnerability. Gradle will now refuse to parse XML files that have XML external entities.
This is a patch release for 7.6. We recommend using 7.6.3 instead of 7.6.
This release addresses two security vulnerabilities:
- Incorrect permission assignment for symlinked files used in copy or archiving operations
- Possible local text file exfiltration by XML External entity injection
It also fixes the following issues:
- #25781 Backport finalized task performance fix to 7.6.x
- #25802 Backport cgroups fix to 7.6.x
Read the Release Notes
Upgrade Instructions
Switch your build to use Gradle 7.6.3 by updating your wrapper:
./gradlew wrapper --gradle-version=7.6.3
See the Gradle 7.x upgrade guide to learn about deprecations, breaking changes and other considerations when upgrading to Gradle 7.6.3.
Reporting Problems
If you find a problem with this release, please file a bug on GitHub Issues adhering to our issue guidelines.
If you’re not sure you’re encountering a bug, please use the forum.
Related news
Red Hat Security Advisory 2023-7678-03 - Red Hat AMQ Streams 2.6.0 is now available from the Red Hat Customer Portal. Issues addressed include XML injection, bypass, and open redirection vulnerabilities.