Gradle Repository Disabling Vulnerability Allowing Malicious Artifact Injection

A vulnerability exists in Gradle's dependency resolution process in versions prior to 9.3.0 and 8.14.4. When a build encounters certain connection errors, Gradle may not disable the problematic repository, allowing the build to continue and potentially resolve dependencies from other repositories. This behavior could be exploited by an attacker to serve malicious artifacts, especially if the repository with the unresolvable host name is listed before others in the build configuration. Gradle 9.3.0 and 8.14.4 have addressed this issue by changing the repository resolution behavior to prioritize security and build reproducibility.

Impact

Exploitation of this vulnerability could lead to the injection of malicious artifacts into a Gradle build, bypassing standard dependency verification processes.

Reproduction

To reproduce this vulnerability, create a Gradle build that includes a repository with an unresolvable host name. This could be due to a typo in the domain name or a lapse in domain registration. Ensure that this repository is listed before others in the build configuration. When the build is executed, Gradle will likely continue to resolve dependencies from other repositories, potentially allowing for the injection of malicious artifacts.

Remediation

Upgrade to Gradle version 9.3.0 or 8.14.4. If an immediate upgrade is not possible, review and update repository declarations to remove unused or outdated entries. Consider using Gradle's dependency verification feature to ensure that only expected dependencies are resolved.