CVE-2022-31156

Name of the Vulnerable Software and Affected Versions Gradle versions 6.2 through 7.4.2

Description Gradle is a build tool with a security feature called dependency verification, which validates external dependencies through checksum or cryptographic signatures. In affected versions, there are cases where Gradle may skip verification and accept untrusted dependencies. This can happen in two ways: when signature verification is disabled but verification metadata contains gpg elements without checksum elements, or when signature verification is enabled but no signature file is found on the remote repository. The risks for vulnerable builds include downloading malicious binaries due to name squatting or downloading malicious libraries when using HTTP instead of HTTPS.

Recommendations For Gradle versions 6.2 through 7.4.2, consider updating to Gradle 7.5, which patches this issue by ensuring checksum verification runs if signature verification cannot be completed. As a temporary workaround, remove all gpg elements from dependency verification metadata if signature validation is disabled. Avoid adding gpg entries for dependencies that do not have signature files.