CVE-2023-26053

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-26053

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-26053.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-26053

Aliases

BIT-gradle-2023-26053
GHSA-c724-3xg7-g3hf

Downstream

UBUNTU-CVE-2023-26053

Published

2023-03-02T03:11:31.488Z

Modified

2025-12-04T23:44:22.430255Z

Severity

6.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Gradle usage of long IDs for PGP keys opens potential for collision attacks

Details

Gradle is a build tool with a focus on build automation and support for multi-language development. This is a collision attack on long IDs (64bits) for PGP keys. Users of dependency verification in Gradle are vulnerable if they use long IDs for PGP keys in a trusted-key or pgp element in their dependency verification metadata file. The fix is to fail dependency verification if anything but a fingerprint is used in a trust element in dependency verification metadata. The problem is fixed in Gradle 8.0 and above. The problem is also patched in Gradle 6.9.4 and 7.6.1. As a workaround, use only full fingerprint IDs for trusted-key or pgp element in the metadata is a protection against this issue.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/26xxx/CVE-2023-26053.json",
    "cwe_ids": [
        "CWE-829"
    ]
}

References

Affected packages

Git / github.com/gradle/gradle

Affected ranges

Type

GIT

Repo

https://github.com/gradle/gradle

Events

Introduced

61d3320259a1a0d31519bf208eb13741679a742f

Fixed

7f9380f27d6dc6a1ee6dfc466b834b0408d0b0c4

Database specific

{
    "versions": [
        {
            "introduced": "6.2"
        },
        {
            "fixed": "6.9.4"
        }
    ]
}

Type

GIT

Repo

https://github.com/gradle/gradle

Events

Introduced

d5661e3f0e07a8caff705f1badf79fb5df8022c4

Fixed

3905fe8ac072bbd925c70ddbddddf4463341f4b4

Database specific

{
    "versions": [
        {
            "introduced": "7.0.0"
        },
        {
            "fixed": "7.6.1"
        }
    ]
}

Affected versions

v7.*

v7.0.0

v7.0.1

v7.0.2

v7.1.0

v7.1.0-RC1

v7.1.0-RC2

v7.1.1

v7.2.0

v7.2.0-RC1

v7.2.0-RC2

v7.2.0-RC3

v7.3.0

v7.3.0-RC1

v7.3.0-RC2

v7.3.0-RC3

v7.3.0-RC4

v7.3.0-RC5

v7.3.1

v7.3.2

v7.3.3

v7.3.3-RC1

v7.4.0

v7.4.0-RC1

v7.4.0-RC2

v7.4.1

v7.4.2

v7.5.0

v7.5.0-M1

v7.5.0-RC1

v7.5.0-RC2

v7.5.0-RC3

v7.5.0-RC4

v7.5.0-RC5

v7.5.1

v7.6.0

v7.6.0-M1

v7.6.0-RC1

v7.6.0-RC2

v7.6.0-RC3

v7.6.0-RC4