CVE-2023-35946 Overview
CVE-2023-35946 is a path traversal vulnerability affecting Gradle, a widely-used build automation tool that supports multi-language development. The vulnerability exists in how Gradle writes dependencies into its dependency cache, using dependency coordinates to compute file locations. An attacker with specially crafted dependency coordinates can manipulate Gradle to write files to unintended locations outside the dependency cache or overwrite existing files within the cache.
Critical Impact
This vulnerability enables dependency cache poisoning and arbitrary file overwrites on the filesystem where the Gradle process has write permissions, potentially leading to supply chain attacks or system compromise.
Affected Products
- Gradle versions prior to 7.6.2
- Gradle versions prior to 8.2
- All Gradle installations using dependency caching without verification
Discovery Timeline
- 2023-06-30 - CVE-2023-35946 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-35946
Vulnerability Analysis
This path traversal vulnerability (CWE-22) affects Gradle's dependency caching mechanism. When Gradle processes dependencies, it calculates the storage location in its local cache based on the dependency's coordinates (group ID, artifact ID, and version). The vulnerability arises from insufficient validation of these coordinates, allowing path traversal sequences to escape the intended cache directory structure.
Successful exploitation requires the attacker to either control a dependency repository used by the Gradle build or have the ability to modify the build's configuration directly. While this represents a significant barrier to exploitation, compromised or malicious repositories could leverage this flaw to poison development environments at scale.
The impact is primarily on integrity, as attackers can overwrite files but cannot directly read sensitive data through this vulnerability alone. However, overwriting critical build files, configuration scripts, or other sensitive resources could lead to code execution or further compromise of the build pipeline.
Root Cause
The root cause lies in Gradle's failure to properly sanitize dependency coordinates before using them to construct file paths in the dependency cache. When a dependency is downloaded, Gradle uses its coordinates (such as group:artifact:version) to determine where to store the cached files. Without proper validation, coordinates containing path traversal elements like ../ can manipulate the resulting file path, causing files to be written outside the designated cache directory.
The vulnerability specifically affects the file path computation logic that concatenates dependency coordinate components without checking for directory traversal sequences or normalizing the resulting paths.
Attack Vector
Exploitation of this vulnerability requires local access and involves the following attack scenario:
- An attacker gains control over a dependency repository that a target Gradle build references, or modifies the build configuration to point to a malicious repository
- The attacker publishes a dependency with specially crafted coordinates containing path traversal sequences (e.g., ../../../etc/)
- When a developer or CI/CD pipeline executes a Gradle build, the malicious dependency is fetched
- Gradle's caching mechanism writes the dependency files to an attacker-controlled location outside the cache directory
- The attacker achieves arbitrary file write capability within the Gradle process's permissions
The attack pattern involves crafting malicious dependency coordinates that include directory traversal elements. When Gradle processes these coordinates, the path computation logic fails to sanitize the input, resulting in file writes to locations outside the intended cache directory.
For detailed technical information about the exploitation mechanism, refer to the GitHub Security Advisory GHSA-2h6c-rv6q-494v.
Detection Methods for CVE-2023-35946
Indicators of Compromise
- Unexpected files appearing outside the Gradle dependency cache directory (typically ~/.gradle/caches/modules-2/files-2.1/)
- Dependencies with unusual characters or path traversal sequences in their coordinates within build configuration files
- Modifications to critical system or build files that coincide with Gradle build executions
- Build logs showing dependencies with suspicious naming patterns containing .. sequences
Detection Strategies
- Implement file integrity monitoring on directories adjacent to or above the Gradle cache directory
- Audit build.gradle and settings.gradle files for references to untrusted or suspicious dependency repositories
- Review Gradle build logs for dependencies with anomalous coordinate patterns
- Monitor for unexpected file writes during Gradle build processes using endpoint detection tools
Monitoring Recommendations
- Enable SentinelOne's file integrity monitoring to detect writes outside expected Gradle cache locations
- Configure alerts for Gradle processes writing to sensitive system directories
- Implement centralized logging for all Gradle build activities in CI/CD environments
- Establish baseline behavior for Gradle's file operations and alert on deviations
How to Mitigate CVE-2023-35946
Immediate Actions Required
- Upgrade Gradle to version 7.6.2 or 8.2 or later immediately
- Enable Gradle's dependency verification feature if upgrading is not immediately possible
- Audit all configured dependency repositories for trustworthiness
- Review recent builds for any signs of compromise or unexpected file modifications
Patch Information
Gradle has released patches in versions 7.6.2 and 8.2 that address this vulnerability. The fix implements validation to refuse caching dependencies that have path traversal elements in their dependency coordinates. Organizations should upgrade to these patched versions as soon as possible.
Security patches are available via the following commits:
- Gradle Commit 859eae2b2acf751ae7db3c9ffefe275aa5da0d5d
- Gradle Commit b07e528feb3a5ffa66bdcc358549edd73e4c8a12
Workarounds
- Enable Gradle dependency verification to make exploitation more difficult by validating dependency checksums and signatures
- Restrict Gradle builds to only use trusted, internal dependency repositories
- Implement network-level controls to prevent builds from accessing unauthorized external repositories
- Run Gradle builds with minimal filesystem permissions to limit the impact of potential file overwrites
# Enable dependency verification in gradle/verification-metadata.xml
# Create this file to enforce checksum verification
gradle --write-verification-metadata sha256,sha512 help
# Review and commit the generated verification-metadata.xml file
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
