Lucene search
K

83 matches found

OSV
OSV
added 2024/03/06 10:53 a.m.13 views

BIT-GRADLE-2022-31156 Gradle's dependency verification can ignore checksum verification when signature verification cannot be performed

Gradle is a build tool. Dependency verification is a security feature in Gradle Build Tool that was introduced to allow validation of external dependencies either through their checksum or cryptographic signatures. In versions 6.2 through 7.4.2, there are some cases in which Gradle may skip that...

6.6CVSS5.5AI score0.00507EPSS
Exploits0References3
SUSE CVE
SUSE CVE
added 2023/10/25 12:59 a.m.5 views

SUSE CVE-2023-46122

sbt is a build tool for Scala, Java, and others. Given a specially crafted zip or JAR file, IO.unzip allows writing of arbitrary file. This would have potential to overwrite /root/.ssh/authorizedkeys. Within sbt's main code, IO.unzip is used in pullRemoteCache task and Resolvers.remote; however...

3.9CVSS7.6AI score0.0034EPSS
Exploits1References6
Prion
Prion
added 2023/10/23 4:15 p.m.18 views

Code injection

sbt is a build tool for Scala, Java, and others. Given a specially crafted zip or JAR file, IO.unzip allows writing of arbitrary file. This would have potential to overwrite /root/.ssh/authorizedkeys. Within sbt's main code, IO.unzip is used in pullRemoteCache task and Resolvers.remote; however...

3.3CVSS6.8AI score0.0034EPSS
Exploits1References4Affected Software2
CVE
CVE
added 2023/10/23 3:51 p.m.74 views

CVE-2023-46122

CVE-2023-46122 affects sbt’s IO.unzip and can enable arbitrary file writes when extracting a crafted zip/JAR, with potential to overwrite the root SSH authorized_keys. Within sbt, IO.unzip is used in pullRemoteCache and Resolvers.remote, and many projects call IO.unzip directly. Root cause: archi...

7.1CVSS5.5AI score0.0034EPSS
Exploits1References4Affected Software2
CVE
CVE
added 2023/10/06 1:52 p.m.176 views

CVE-2023-42445

CVE-2023-42445 affects Gradle: XML External Entity (XXE) resolution was not disabled in some parsing paths, enabling potential exfiltration of local text files via XML parsing with an OOB-XXE scenario. Documents confirm Gradle now disables XML external entities for all use cases in Gradle 7.6.3 a...

6.8CVSS6AI score0.00674EPSS
Exploits0References4Affected Software1
AlpineLinux
AlpineLinux
added 2023/10/05 6:15 p.m.29 views

CVE-2023-44387

Gradle is a build tool with a focus on build automation and support for multi-language development. When copying or archiving symlinked files, Gradle resolves them but applies the permissions of the symlink itself instead of the permissions of the linked file to the resulting file. This leads to...

6.5CVSS6.8AI score0.0021EPSS
Exploits0
Debian CVE
Debian CVE
added 2023/10/05 5:51 p.m.35 views

CVE-2023-44387

Gradle is a build tool with a focus on build automation and support for multi-language development. When copying or archiving symlinked files, Gradle resolves them but applies the permissions of the symlink itself instead of the permissions of the linked file to the resulting file. This leads to...

6.5CVSS5.2AI score0.0021EPSS
Exploits0
OSV
OSV
added 2023/08/14 12:0 a.m.27 views

ALSA-2023:4635 Important: rust-toolset:rhel8 security update

Rust Toolset provides the Rust programming language compiler rustc, the cargo build tool and dependency manager, and required libraries. Security Fixes: rust-cargo: cargo does not respect the umask when extracting dependencies CVE-2023-38497 For more details about the security issues, including t...

7.9CVSS7AI score0.00763EPSS
Exploits0References4
OSV
OSV
added 2023/06/08 9:15 p.m.6 views

AZL-37347 CVE-2023-29405 affecting package golang for versions less than 1.21.6-1

The go command may execute arbitrary code at build time when using cgo. This may occur when running "go get" on a malicious module, or when running any other command which builds untrusted code. This is can by triggered by linker flags, specified via a "cgo LDFLAGS" directive. Flags containing...

9.8CVSS7AI score0.01728EPSS
Exploits0References1
Prion
Prion
added 2023/04/28 4:15 p.m.16 views

Default configuration

Gradle Build Action allows users to execute a Gradle Build in their GitHub Actions workflow. A vulnerability impacts GitHub workflows using the Gradle Build Action prior to version 2.4.2 that have executed the Gradle Build Tool with the configuration cache enabled, potentially exposing secrets...

4CVSS6.5AI score0.00285EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2023/04/28 3:10 p.m.25 views

CVE-2023-30853 Gradle Build Action data written to GitHub Actions Cache may expose secrets

Gradle Build Action allows users to execute a Gradle Build in their GitHub Actions workflow. A vulnerability impacts GitHub workflows using the Gradle Build Action prior to version 2.4.2 that have executed the Gradle Build Tool with the configuration cache enabled, potentially exposing secrets...

7.6CVSS6.8AI score0.00285EPSS
Exploits0References4
CVE
CVE
added 2023/04/28 3:10 p.m.43 views

CVE-2023-30853

CVE-2023-30853 describes an information disclosure in the Gradle Build Action for GitHub Actions when the configuration cache is enabled in versions prior to 2.4.2. Environment variables passed to Gradle can be persisted into GitHub Actions cache entries, which may be read by untrusted workflows ...

7.6CVSS7.1AI score0.00285EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2023/04/28 12:0 a.m.8 views

PT-2023-23009 · Gradle +1 · Gradle Build Tool +1

Name of the Vulnerable Software and Affected Versions: Gradle Build Action versions prior to 2.4.2 Description: A vulnerability in the Gradle Build Action impacts GitHub workflows that have executed the Gradle Build Tool with the configuration cache enabled, potentially exposing secrets configure...

7.6CVSS6.5AI score0.00285EPSS
Exploits0References7
OSV
OSV
added 2022/11/19 9:30 p.m.35 views

GHSA-RC2Q-X9MF-W3VF TestNG is vulnerable to Path Traversal

Impact Affected by this vulnerability is the function testngXmlExistsInJar of the file testng-core/src/main/java/org/testng/JarFileUtils.java of the component XML File Parser. The manipulation leads to path traversal only for .xml, .yaml and .yml files by default. The attack implies running an...

7.8CVSS7.2AI score0.00876EPSS
Exploits1References11
NVD
NVD
added 2022/07/14 8:15 p.m.37 views

CVE-2022-31156

Gradle is a build tool. Dependency verification is a security feature in Gradle Build Tool that was introduced to allow validation of external dependencies either through their checksum or cryptographic signatures. In versions 6.2 through 7.4.2, there are some cases in which Gradle may skip that...

6.6CVSS0.00507EPSS
Exploits0References2
UbuntuCve
UbuntuCve
added 2022/07/14 8:15 p.m.25 views

CVE-2022-31156

Gradle is a build tool. Dependency verification is a security feature in Gradle Build Tool that was introduced to allow validation of external dependencies either through their checksum or cryptographic signatures. In versions 6.2 through 7.4.2, there are some cases in which Gradle may skip that...

6.6CVSS5.9AI score0.00507EPSS
Exploits0References3
Cvelist
Cvelist
added 2022/07/14 8:5 p.m.41 views

CVE-2022-31156 Gradle's dependency verification can ignore checksum verification when signature verification cannot be performed

Gradle is a build tool. Dependency verification is a security feature in Gradle Build Tool that was introduced to allow validation of external dependencies either through their checksum or cryptographic signatures. In versions 6.2 through 7.4.2, there are some cases in which Gradle may skip that...

6.6CVSS6.7AI score0.00507EPSS
Exploits0References2
OSV
OSV
added 2022/07/14 8:5 p.m.32 views

CVE-2022-31156 Gradle's dependency verification can ignore checksum verification when signature verification cannot be performed

Gradle is a build tool. Dependency verification is a security feature in Gradle Build Tool that was introduced to allow validation of external dependencies either through their checksum or cryptographic signatures. In versions 6.2 through 7.4.2, there are some cases in which Gradle may skip that...

6.6CVSS4.9AI score0.00507EPSS
Exploits0References4
CVE
CVE
added 2022/07/14 8:5 p.m.84 views

CVE-2022-31156

CVE-2022-31156 : Gradle’s dependency verification can skip checksum verification when signature verification cannot be performed. Affected versions: 6.2–7.4.2. If verification metadata contains only a gpg element (no checksum) or if there is no signature file on the remote repo, Gradle may accept...

6.6CVSS5.2AI score0.00507EPSS
Exploits0References2Affected Software1
Debian CVE
Debian CVE
added 2022/07/14 8:5 p.m.47 views

CVE-2022-31156

Gradle is a build tool. Dependency verification is a security feature in Gradle Build Tool that was introduced to allow validation of external dependencies either through their checksum or cryptographic signatures. In versions 6.2 through 7.4.2, there are some cases in which Gradle may skip that...

6.6CVSS5AI score0.00507EPSS
Exploits0
Rows per page
Query Builder