CVE-2023-35946: 
Gradle vulnerability analysis and mitigation

CVE-2023-35946 is a path traversal vulnerability affecting Gradle, a build automation tool. The vulnerability was discovered in versions prior to 7.6.2 and 8.0-8.1.1, and was disclosed on June 30, 2023. When Gradle writes a dependency into its dependency cache, it uses the dependency's coordinates to compute a file location. With specially crafted dependency coordinates, an attacker could make Gradle write files into unintended locations (GitHub Advisory).

The vulnerability is classified as a path traversal issue (CWE-22) that allows writing files outside the intended dependency cache directory. The CVSS v3.1 base score is 6.9 (Medium) with the vector string CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L, indicating local attack vector with high complexity, no privileges required, and user interaction required. The vulnerability could be exploited through specially crafted dependency coordinates that contain path traversal elements (GitHub Advisory, NVD).

Successful exploitation of this vulnerability could lead to dependency cache poisoning or overwriting important files elsewhere on the filesystem where the Gradle process has write permissions. The impact is particularly severe as it could allow an attacker to replace legitimate dependencies with malicious ones or compromise the build environment (GitHub Advisory).

The vulnerability has been patched in Gradle versions 7.6.2 and 8.2. The fix prevents caching of dependencies that have path traversal elements in their coordinates. For users unable to upgrade immediately, enabling dependency verification can make the vulnerability more difficult to exploit, as it requires attackers to either sign compromised dependencies with an already trusted key or modify the dependency verification metadata (GitHub Advisory).