Bugzilla – Bug 1188569
VUL-0: CVE-2021-32751: gradle: `application` plugin and the `gradlew` script are both vulnerable to arbitrary code execution
Last modified: 2022-10-27 08:12:32 UTC
Gradle is a build tool with a focus on build automation. In versions prior to
7.2, start scripts generated by the `application` plugin and the `gradlew`
script are both vulnerable to arbitrary code execution when an attacker is able
to change environment variables for the user running the script. This may impact
those who use `gradlew` on Unix-like systems or use the scripts generated by
Gradle in thieir application on Unix-like systems. For this vulnerability to be
exploitable, an attacker needs to be able to set the value of particular
environment variables and have those environment variables be seen by the
vulnerable scripts. This issue has been patched in Gradle 7.2 by removing the
use of `eval` and requiring the use of the `bash` shell.
There are a few workarounds available. For CI/CD systems using the Gradle build
tool, one may ensure that untrusted users are unable to change environment
variables for the user that executes `gradlew`. If one is unable to upgrade to
Gradle 7.2, one may generate a new `gradlew` script with Gradle 7.2 and use it
for older versions of Gradle. Fpplications using start scripts generated by
Gradle, one may ensure that untrusted users are unable to change environment
variables for the user that executes the start script. A vulnerable start script
could be manually patched to remove the use of `eval` or the use of environment
variables that affect the application's command-line. If the application is
simple enough, one may be able to avoid the use of the start scripts by running
the application directly with Java command.
Reassigning to coldpool, could you please take a look into SUSE:SLE-15-SP2:Update? Thanks!
15sp2/gradle has the same version as Factory/gradle so in case 15sp2/gradle is affecte then Factory/gradle has the issue as well.
Adding maintainers of Java:packages, the package itself does not have a maintainer defined.