Enrico2

**Name of the Vulnerable Software and Affected Versions** gradle-completion versions prior to 9.3.1 **Description** gradle-completion offers Bash and Zsh completion support for Gradle. A command injection issue exists in versions up to and including 9.3.0, potentially leading to arbitrary code execution. This occurs when a user triggers Bash tab completion within a project containing a crafted Gradle build file. The Bash completion script inadequately sanitizes Gradle task names and descriptions. Specifically, a malicious Gradle build file can inject commands when the user completes a command in Bash. The issue stems from the script evaluating strings between backticks within task descriptions as commands when displaying the completion list. This does not affect zsh completion. The vulnerability does not require task execution to be triggered. **Recommendations** Update to gradle-completion version 9.3.1 or later. As a temporary workaround, remove `gradle-completion` from `.bashrc` or `.bash profile` to disable Bash completion for Gradle.