* When unpacking Tar archives, Gradle did not check that files could be written outside of the unpack location.
# Impact This is a path traversal vulnerability when Gradle deals with Tar archives, often referenced as TarSlip, a variant of ZipSlip. There are no known workarounds for this vulnerability.
Starting from these versions, Gradle will refuse to handle Tar archives which contain path traversal elements in a Tar entry name. A fix has been released in Gradle 7.6.2 and 8.2 to protect against this vulnerability. It is unlikely that this would go unnoticed. To exploit this behavior, an attacker needs to either control the source of an archive already used by the build or modify the build to interact with a malicious archive. For a build reading Tar entries from a Tar archive, this issue could allow Gradle to disclose information from sensitive files through an arbitrary file read. This could lead to important files being overwritten anywhere the Gradle process has write permissions. In affected versions when unpacking Tar archives, Gradle did not check that files could be written outside of the unpack location. Gradle is a build tool with a focus on build automation and support for multi-language development.
0 kommentar(er)
