GitHub_MCVELIST:CVE-2023-26053CVE-2023-26053 Gradle usage of long IDs for PGP keys opens potential for collision attacks
6.6 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
9.5 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
62.0%
Gradle is a build tool with a focus on build automation and support for multi-language development. This is a collision attack on long IDs (64bits) for PGP keys. Users of dependency verification in Gradle are vulnerable if they use long IDs for PGP keys in a trusted-key or pgp element in their dependency verification metadata file. The fix is to fail dependency verification if anything but a fingerprint is used in a trust element in dependency verification metadata. The problem is fixed in Gradle 8.0 and above. The problem is also patched in Gradle 6.9.4 and 7.6.1. As a workaround, use only full fingerprint IDs for trusted-key or pgp element in the metadata is a protection against this issue.
CNA Affected
[
{
"vendor": "gradle",
"product": "gradle",
"versions": [
{
"version": ">= 6.2, < 6.9.4",
"status": "affected"
},
{
"version": ">= 7.0.0, < 7.6.1",
"status": "affected"
}
]
}
]Related
6.6 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
9.5 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
62.0%