CVE-2023-42445

EPSS 0.37%
Published 06.10.2023 14:15:12
Last modified 11.04.2025 14:50:21
Source security-advisories@github.com
Teams watchlist Login
Open Login

Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, when Gradle parses XML files, resolving XML external entities is not disabled. Combined with an Out Of Band XXE attack (OOB-XXE), just parsing XML can lead to exfiltration of local text files to a remote server. Gradle parses XML files for several purposes. Most of the time, Gradle parses XML files it generated or were already present locally. Only Ivy XML descriptors and Maven POM files can be fetched from remote repositories and parsed by Gradle. In Gradle 7.6.3 and 8.4, resolving XML external entities has been disabled for all use cases to protect against this vulnerability. Gradle will now refuse to parse XML files that have XML external entities.

Affected products Warnungen 0 Metrics 3 CWE 1 References 7

Data is provided by the National Vulnerability Database (NVD)

Gradle ≫ Gradle Version < 7.6.3

Gradle ≫ Gradle Version >= 8.0.0 < 8.4.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.37%	0.574

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.3	1.6	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
security-advisories@github.com	6.8	1.6	5.2	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:H

CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

https://github.com/gradle/gradle/releases/tag/v7.6.3

Release Notes

https://github.com/gradle/gradle/releases/tag/v8.4.0

Release Notes

https://security.netapp.com/advisory/ntap-20231110-0006/

Third Party Advisory

https://github.com/gradle/gradle/security/advisories/GHSA-mrff-q8qj-xvg8

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-42445

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-42445

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-42445

EUVD