Gradle, a popular build automation tool supporting various programming languages, has been found to be vulnerable to an XML External Entity Injection (XXE) attack, specifically an Out of Band XXE (OOB-XXE) attack. This vulnerability, indexed as CVE-2023-42445, arises when Gradle processes XML files and does not disable the resolution of XML external entities. It can lead to the exfiltration of sensitive data, such as local text files, to a remote attacker's server.

Affected Versions

Gradle versions prior to 7.6.3 and 8.4

Exploit Details

Gradle typically parses XML files it generates or that are already present on the local system. However, some XML files, such as Ivy XML descriptors and Maven POM files, can be fetched from remote repositories and parsed by Gradle. In situations where XML external entity resolution is not disabled, an attacker can insert malicious XML external entities, leading to an OOB-XXE attack and data exfiltration.

Code Snippet:

Consider the following XML file as an example of a malicious XML external entity

<?xml version="1." encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>

If Gradle were to parse this XML file without disabling external entity resolution, the contents of /etc/passwd would be read and potentially exfiltrated to an attacker-controlled server.

Mitigation

The developers of Gradle have released versions 7.6.3 and 8.4, which disable XML external entity resolution for all use cases in an effort to protect against this vulnerability. As a result, Gradle will no longer parse XML files containing XML external entities.

To protect your projects, it is strongly recommended to update your Gradle dependencies to version 7.6.3 or 8.4, following the official Gradle update guide: https://docs.gradle.org/current/userguide/upgrading_version_7.html

Additionally, developers working with XML parsers should ensure that external entity resolution is disabled in any libraries used to parse XML files in order to guard against XXE attacks.

Additional Resources

1. Gradle Release Notes for 7.6.3: https://docs.gradle.org/7.6.3/release-notes.html
2. Gradle Release Notes for 8.4: https://docs.gradle.org/8.4/release-notes.html
3. CVE-2023-42445 Vulnerability Information: https://example_cve_database_link.com/cve/CVE-2023-42445
4. OWASP XXE Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html

Conclusion

The discovery of the CVE-2023-42445 vulnerability in Gradle serves as a critical reminder for developers to disable XML external entity resolution when working with XML files. By updating your Gradle dependencies to versions 7.6.3 or 8.4 and ensuring external entity resolution is disabled in your XML parsers, you can help protect your projects against potential data exfiltration and other security threats resulting from XXE attacks.

Timeline

Published on: 10/06/2023 14:15:12 UTC
Last modified on: 11/10/2023 18:15:08 UTC