Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-42445: Release 7.6.3 · gradle/gradle

Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, when Gradle parses XML files, resolving XML external entities is not disabled. Combined with an Out Of Band XXE attack (OOB-XXE), just parsing XML can lead to exfiltration of local text files to a remote server. Gradle parses XML files for several purposes. Most of the time, Gradle parses XML files it generated or were already present locally. Only Ivy XML descriptors and Maven POM files can be fetched from remote repositories and parsed by Gradle. In Gradle 7.6.3 and 8.4, resolving XML external entities has been disabled for all use cases to protect against this vulnerability. Gradle will now refuse to parse XML files that have XML external entities.

CVE
#vulnerability#git#java#gradle#maven

This is a patch release for 7.6. We recommend using 7.6.3 instead of 7.6.

This release addresses two security vulnerabilities:

  • Incorrect permission assignment for symlinked files used in copy or archiving operations
  • Possible local text file exfiltration by XML External entity injection

It also fixes the following issues:

  • #25781 Backport finalized task performance fix to 7.6.x
  • #25802 Backport cgroups fix to 7.6.x

Read the Release Notes

Upgrade Instructions

Switch your build to use Gradle 7.6.3 by updating your wrapper:

./gradlew wrapper --gradle-version=7.6.3

See the Gradle 7.x upgrade guide to learn about deprecations, breaking changes and other considerations when upgrading to Gradle 7.6.3.

Reporting Problems

If you find a problem with this release, please file a bug on GitHub Issues adhering to our issue guidelines.
If you’re not sure you’re encountering a bug, please use the forum.

Related news

Red Hat Security Advisory 2023-7678-03

Red Hat Security Advisory 2023-7678-03 - Red Hat AMQ Streams 2.6.0 is now available from the Red Hat Customer Portal. Issues addressed include XML injection, bypass, and open redirection vulnerabilities.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907