Source: gradle X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for gradle. CVE-2021-32751[0]: | Gradle is a build tool with a focus on build automation. In versions | prior to 7.2, start scripts generated by the `application` plugin and | the `gradlew` script are both vulnerable to arbitrary code execution | when an attacker is able to change environment variables for the user | running the script. This may impact those who use `gradlew` on Unix- | like systems or use the scripts generated by Gradle in thieir | application on Unix-like systems. For this vulnerability to be | exploitable, an attacker needs to be able to set the value of | particular environment variables and have those environment variables | be seen by the vulnerable scripts. This issue has been patched in | Gradle 7.2 by removing the use of `eval` and requiring the use of the | `bash` shell. There are a few workarounds available. For CI/CD systems | using the Gradle build tool, one may ensure that untrusted users are | unable to change environment variables for the user that executes | `gradlew`. If one is unable to upgrade to Gradle 7.2, one may generate | a new `gradlew` script with Gradle 7.2 and use it for older versions | of Gradle. Fpplications using start scripts generated by Gradle, one | may ensure that untrusted users are unable to change environment | variables for the user that executes the start script. A vulnerable | start script could be manually patched to remove the use of `eval` or | the use of environment variables that affect the application's | command-line. If the application is simple enough, one may be able to | avoid the use of the start scripts by running the application directly | with Java command. https://github.com/gradle/gradle/security/advisories/GHSA-6j2p-252f-7mw8 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-32751 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32751 Please adjust the affected versions in the BTS as needed.
