CVE-2022-23630: 
Gradle vulnerability analysis and mitigation

Gradle, a build tool focused on build automation and multi-language development support, contained a vulnerability in versions 6.2 through 7.3.3 where dependency verification could be bypassed. The vulnerability (CVE-2022-23630) was discovered and disclosed in February 2022, affecting the dependency verification security feature which was designed to validate external dependencies through checksums or cryptographic signatures (GitHub Advisory).

The vulnerability occurs when dependency verification is disabled on one or more configurations that share common dependencies with other configurations where verification is enabled. If a configuration with disabled verification is resolved first, Gradle fails to verify the common dependencies for configurations where verification should be active. This bypass happens specifically when using ResolutionStrategy.disableDependencyVerification(). The vulnerability has been assigned a CVSS v3.1 base score of 6.6 (Moderate), with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H (GitHub Advisory).

The vulnerability presents two primary risks: First, dependency poisoning/confusion attacks where Gradle could download malicious binaries from external repositories due to name squatting. Second, Man-in-the-Middle attacks where builds using HTTP (instead of HTTPS) could download malicious libraries instead of legitimate ones (GitHub Advisory).

The vulnerability was patched in Gradle 7.4, which ensures artifacts are validated at least once if they are present in a resolved configuration with active dependency verification. For users unable to upgrade, workarounds include avoiding the use of ResolutionStrategy.disableDependencyVerification() and ensuring that configurations with disabled verification features are not resolved in builds where the feature is enabled for other configurations (GitHub Advisory).