CVE-2021-32751

Name of the Vulnerable Software and Affected Versions Gradle versions prior to 7.2

Description The issue concerns arbitrary code execution when an attacker can change environment variables for the user running the script. This affects those using gradlew on Unix-like systems or scripts generated by Gradle in their application on Unix-like systems. For exploitation, an attacker must be able to set particular environment variables and have them seen by the vulnerable scripts. The issue was patched in Gradle 7.2 by removing the use of eval and requiring the bash shell.

Recommendations For versions prior to 7.2, ensure that untrusted users cannot change environment variables for the user executing gradlew or the start script. Generate a new gradlew script with Gradle 7.2 and use it for older versions of Gradle if an upgrade to 7.2 is not possible. Manually patch vulnerable start scripts to remove the use of eval or environment variables affecting the application's command-line. Consider running the application directly with the Java command if the application is simple enough.