cvedb.io
CVE-2023-35947
MEDIUM · CVSS 6.9
EPSS exploitation probability: 0%
Published 2023-06-30T21:15:09.147 · Last modified 2026-06-17T06:05:31.650

Summary

Gradle is a build tool with a focus on build automation and support for multi-language development. In affected versions when unpacking Tar archives, Gradle did not check that files could be written outside of the unpack location. This could lead to important files being overwritten anywhere the Gradle process has write permissions. For a build reading Tar entries from a Tar archive, this issue could allow Gradle to disclose information from sensitive files through an arbitrary file read. To exploit this behavior, an attacker needs to either control the source of an archive already used by the build or modify the build to interact with a malicious archive. It is unlikely that this would go unnoticed. A fix has been released in Gradle 7.6.2 and 8.2 to protect against this vulnerability. Sta

Affected products

gradle — gradle

Does this affect you?

Add your gear to cvedb and we'll alert you only when gradle ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.