CVE-2023-26053

Published: Mar 2, 2023

Modified: Mar 5, 2025

PUBLISHED

CVSS v3.1

6.6

MEDIUM

Description

Gradle is a build tool with a focus on build automation and support for multi-language development. This is a collision attack on long IDs (64bits) for PGP keys. Users of dependency verification in Gradle are vulnerable if they use long IDs for PGP keys in a `trusted-key` or `pgp` element in their dependency verification metadata file. The fix is to fail dependency verification if anything but a fingerprint is used in a trust element in dependency verification metadata. The problem is fixed in Gradle 8.0 and above. The problem is also patched in Gradle 6.9.4 and 7.6.1. As a workaround, use only full fingerprint IDs for `trusted-key` or `pgp` element in the metadata is a protection against this issue.

Vendor	Product	Versions
gradle	gradle	affected `>= 6.2, < 6.9.4` affected `>= 7.0.0, < 7.6.1`

Weaknesses (CWE)

CWE-829

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/gradle/gradle/security/advisories/GHSA-c724-3xg7-g3hf

x_refsource_CONFIRM

https://github.com/gradle/gradle/commit/bf3cc0f2b463033037e67aaacda31291643ea1a9

x_refsource_MISC

https://security.netapp.com/advisory/ntap-20230413-0002/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-26053

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References