Source: gradle X-Debbugs-CC: [email protected] Severity: important Tags: security
Hi, The following vulnerability was published for gradle. CVE-2023-42445[0]: | Gradle is a build tool with a focus on build automation and support | for multi-language development. In some cases, when Gradle parses | XML files, resolving XML external entities is not disabled. Combined | with an Out Of Band XXE attack (OOB-XXE), just parsing XML can lead | to exfiltration of local text files to a remote server. Gradle | parses XML files for several purposes. Most of the time, Gradle | parses XML files it generated or were already present locally. Only | Ivy XML descriptors and Maven POM files can be fetched from remote | repositories and parsed by Gradle. In Gradle 7.6.3 and 8.4, | resolving XML external entities has been disabled for all use cases | to protect against this vulnerability. Gradle will now refuse to | parse XML files that have XML external entities. https://github.com/gradle/gradle/security/advisories/GHSA-mrff-q8qj-xvg8 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-42445 https://www.cve.org/CVERecord?id=CVE-2023-42445 Please adjust the affected versions in the BTS as needed. __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
