CVE-2023-30853

Name of the Vulnerable Software and Affected Versions Gradle Build Action versions prior to 2.4.2

Description A vulnerability in the Gradle Build Action impacts GitHub workflows that have executed the Gradle Build Tool with the configuration cache enabled, potentially exposing secrets configured for the repository. Secrets are normally passed to the Gradle Build Tool via environment variables, and due to the way the Gradle Build Tool records these environment variables, they may be persisted into an entry in the GitHub Actions cache. This data stored in the GitHub Actions cache can be read by a GitHub Actions workflow running in an untrusted context, such as that running for a Pull Request submitted by a developer via a repository fork. The vulnerability was discovered internally through code review, and there is no evidence of it being exploited in the wild. However, affected users should delete any potentially vulnerable cache entries and may choose to rotate any potentially affected secrets.

Recommendations For Gradle Build Action versions prior to 2.4.2, upgrade to version 2.4.2 or newer to prevent ongoing leakage of secrets via the GitHub Actions Cache. Delete any potentially vulnerable cache entries, which can be identified in the GitHub UI by searching for a cache entry with key matching configuration-cache-*. Consider rotating any potentially affected secrets if you cannot be certain that these have not been compromised. As a temporary workaround, consider using the --no-configuration-cache command-line argument to disable the configuration cache feature in a GitHub Actions workflow. Carefully inspect any pull request before approving the execution of GitHub Actions workflows, and consider requiring approval for all PRs from external contributors.