PT-2023-20453 · Gradle · Gradle
Published
2023-03-02
·
Updated
2024-03-06
·
CVE-2023-26053
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Gradle versions prior to 6.9.4
Gradle versions prior to 7.6.1
Gradle versions prior to 8.0
Description
This issue is a collision attack on long IDs (64bits) for PGP keys. Users of dependency verification in Gradle are vulnerable if they use long IDs for PGP keys in a
trusted-key or pgp element in their dependency verification metadata file.Recommendations
For Gradle versions prior to 6.9.4, update to Gradle 6.9.4 or later.
For Gradle versions prior to 7.6.1, update to Gradle 7.6.1 or later.
For Gradle versions prior to 8.0, update to Gradle 8.0 or later.
As a temporary workaround, consider using only full fingerprint IDs for
trusted-key or pgp elements in the metadata to protect against this issue.Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Gradle