Impact
This is a XML external entities (XXE) vulnerability. See CWE-611 and OWASP XXE.
In some cases, when Gradle parses XML files, resolving XML external entities is not disabled. Combined with an Out Of Band XXE attack (OOB-XXE), just parsing XML can lead to exfiltration of local text files to a remote server.
Gradle parses XML files for several purposes. Most of the time, Gradle parses XML files it generated or were already present locally. Only Ivy XML descriptors and Maven POM files can be fetched from remote repositories and parsed by Gradle.
Impacted use-cases in the Gradle Build Tool:
| Use case |
Vulnerable |
Exploitable remotely |
| Ivy descriptor parsing |
YES |
YES |
| Maven POM parsing |
NO |
NO |
| Maven Toolchains discovery |
YES |
NO |
| Generation of Ivy and Maven metadata for publishing |
YES |
NO |
| Dependency Verification metadata |
NO |
NO |
| EAR deployment descriptor parsing |
YES |
NO |
| IntelliJ, Eclipse, VisualStudio, xcode file generation |
YES |
NO |
In the use-cases above, only Ivy descriptor parsing is exploitable remotely. This would require an attacker to have control over an Ivy repository used by your build or be able to publish a malicious Ivy descriptor to a repository your build uses for a dependency you use.
Other use-cases are either not exploitable because existing measures protect from the XXE vulnerability or are only exploitable from local files. An attacker would need to modify your build or local build tool configuration files to exploit the XXE vulnerability.
Note that the IDE files generation related use cases only refer to using the relative Gradle plugins to generate their configuration. Project import in IntelliJ, Android Studio or Eclipse are not impacted.
Patches
In Gradle 7.6.3 and 8.4, resolving XML external entities has been disabled for all use cases to protect against this vulnerability. Gradle will now refuse to parse XML files that have XML external entities.
It is recommended that users upgrade to a patched version.
Workarounds
If you are unable to upgrade to Gradle 7.6.3 or 8.4, you can disable resolving XML external entities by setting JAXP system properties.
This can be done on the command line by adding the following:
-Djavax.xml.accessExternalDTD=false -Djavax.xml.accessExternalSchema=false -Djavax.xml.accessExternalStylesheet=false
This can be made persistent by adding the following lines in a gradle.properties file:
systemProps.javax.xml.accessExternalDTD=false
systemProps.javax.xml.accessExternalSchema=false
systemProps.javax.xml.accessExternalStylesheet=false
References
Impact
This is a XML external entities (XXE) vulnerability. See CWE-611 and OWASP XXE.
In some cases, when Gradle parses XML files, resolving XML external entities is not disabled. Combined with an Out Of Band XXE attack (OOB-XXE), just parsing XML can lead to exfiltration of local text files to a remote server.
Gradle parses XML files for several purposes. Most of the time, Gradle parses XML files it generated or were already present locally. Only Ivy XML descriptors and Maven POM files can be fetched from remote repositories and parsed by Gradle.
Impacted use-cases in the Gradle Build Tool:
In the use-cases above, only Ivy descriptor parsing is exploitable remotely. This would require an attacker to have control over an Ivy repository used by your build or be able to publish a malicious Ivy descriptor to a repository your build uses for a dependency you use.
Other use-cases are either not exploitable because existing measures protect from the XXE vulnerability or are only exploitable from local files. An attacker would need to modify your build or local build tool configuration files to exploit the XXE vulnerability.
Note that the IDE files generation related use cases only refer to using the relative Gradle plugins to generate their configuration. Project import in IntelliJ, Android Studio or Eclipse are not impacted.
Patches
In Gradle 7.6.3 and 8.4, resolving XML external entities has been disabled for all use cases to protect against this vulnerability. Gradle will now refuse to parse XML files that have XML external entities.
It is recommended that users upgrade to a patched version.
Workarounds
If you are unable to upgrade to Gradle 7.6.3 or 8.4, you can disable resolving XML external entities by setting JAXP system properties.
This can be done on the command line by adding the following:
This can be made persistent by adding the following lines in a
gradle.propertiesfile:References