CVE-2022-26049

Name of the Vulnerable Software and Affected Versions com.diffplug.gradle:goomph versions prior to 3.37.2

Description This issue allows a malicious zip file to potentially break out of the expected destination directory, writing contents into arbitrary locations on the file system. Overwriting certain files/directories could allow an attacker to achieve remote code execution on a target system by exploiting this issue. The only file that Goomph extracts is the p2 bootstrapper and eclipse metadata files hosted at eclipse.org, which are not malicious, so the only way this issue could have affected users is if they had set a custom bootstrap zip, and that zip was malicious.

Recommendations For versions prior to 3.37.2, update to version 3.37.2 or later to resolve the issue. As a temporary workaround, consider avoiding the use of custom bootstrap zips to minimize the risk of exploitation. Restrict access to arbitrary directories to prevent potential remote code execution.