CVE-2023-44387

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-44387
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-44387.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-44387
Aliases
Downstream
Published
2023-10-05T17:51:15.407Z
Modified
2026-04-10T05:01:39.967043Z
Severity
  • 3.2 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N CVSS Calculator
Summary
Gradle has incorrect permission assignment for symlinked files used in copy or archiving operations
Details

Gradle is a build tool with a focus on build automation and support for multi-language development. When copying or archiving symlinked files, Gradle resolves them but applies the permissions of the symlink itself instead of the permissions of the linked file to the resulting file. This leads to files having too much permissions given that symlinks usually are world readable and writeable. While it is unlikely this results in a direct vulnerability for the impacted build, it may open up attack vectors depending on where build artifacts end up being copied to or un-archived. In versions 7.6.3, 8.4 and above, Gradle will now properly use the permissions of the file pointed at by the symlink to set permissions of the copied or archived file.

Database specific 
{
    "cwe_ids": [
        "CWE-732"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/44xxx/CVE-2023-44387.json"
}
References

Affected packages

Git / github.com/gradle/gradle

Affected ranges

Type
GIT
Repo
https://github.com/gradle/gradle
Events
Introduced
daece9dbc5b79370cc8e4fd6fe4b2cd400e150a8
Fixed
1694251d59e0d4752d547e1fd5b5020b798a7e71
Database specific 
{
    "versions": [
        {
            "introduced": "7.6.0"
        },
        {
            "fixed": "7.6.3"
        }
    ]
}
Type
GIT
Repo
https://github.com/gradle/gradle
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
e9251e572c9bd1d01e503a0dfdf43aedaeecdc3f
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "8.4.0"
        }
    ]
}

Affected versions

REL-0.*
REL-0.8
REL-0.9-preview-1
REL-0.9-preview-2
REL-0.9-preview-3
REL-0.9-rc-1
REL_0.*
REL_0.9
REL_0.9-rc-2
REL_0.9-rc-3
REL_0.9.1
REL_0.9.2
REL_1.*
REL_1.0-milestone-1
REL_1.0-milestone-2
REL_1.0-milestone-3
REL_1.11
REL_1.11-rc-1
REL_1.12
REL_1.12-rc-1
REL_1.12-rc-2
REL_3.*
REL_3.0-milestone-1
v0.*
v0.8
v0.8.0
v0.9
v0.9-RC1
v0.9-RC2
v0.9-RC3
v0.9.0
v0.9.0-RC1
v0.9.0-RC2
v0.9.0-RC3
v0.9.1
v0.9.2
v1.*
v1.0-M1
v1.0-M2
v1.0-M3
v1.0.0-M1
v1.0.0-M2
v1.0.0-M3
v1.11
v1.11-RC1
v1.11.0
v1.11.0-RC1
v1.12
v1.12-RC1
v1.12-RC2
v1.12.0
v1.12.0-RC1
v1.12.0-RC2
v3.*
v3.0.0-M1
v6.*
v6.1.0-M1
v6.1.0-M2
v6.5.0-M1
v6.5.0-M2
v6.6.0-M1
v6.6.0-M2
v6.8.0-M1
v6.8.0-M2
v6.8.0-M3
v7.*
v7.0.0-M1
v7.0.0-M2
v7.0.0-M3
v7.6.0
v7.6.1
v7.6.2
v8.*
v8.0.0-M2
v8.3.0
v8.3.0-RC1
v8.3.0-RC2
v8.3.0-RC3
v8.3.0-RC4
v8.4.0-RC1
v8.4.0-RC2
v8.4.0-RC3

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-44387.json"