Gradle Repository Disabling Vulnerability Allowing Malicious Artifact Injection

A vulnerability exists in Gradle's dependency resolution process in versions prior to 9.3.0 and in the 9.0.0 to 9.2.1 range. When Gradle encounters certain exceptions, such as NoHttpResponseException, it does not treat them as fatal errors. This allows Gradle to continue resolving dependencies from other repositories without disabling the problematic one. As a result, an attacker could disrupt a repository's service and use another repository to deliver malicious artifacts, provided they have control over the latter.

Impact

Exploitation of this vulnerability could lead to the injection of malicious artifacts into a Gradle build, bypassing normal dependency resolution safeguards.

Remediation

Users can upgrade to Gradle versions 8.14.4 or 9.3.0 and later, both of which address this vulnerability. If an upgrade is not possible, configuring dependency verification can help ensure that only expected dependencies are resolved.