CVE-2023-35947: 
Gradle vulnerability analysis and mitigation

CVE-2023-35947 is a path traversal vulnerability discovered in Gradle, a build automation tool. The vulnerability affects versions prior to 7.6.2 and versions 8.0 through 8.1.1. When dealing with Tar archives, Gradle failed to validate that files could be written outside of the unpack location, often referenced as TarSlip, a variant of ZipSlip. The vulnerability was disclosed on June 30, 2023, and has been patched in versions 7.6.2 and 8.2 (GitHub Advisory, NVD).

The vulnerability stems from Gradle's handling of Tar archive entries without proper path validation. When unpacking Tar archives, the software did not verify whether files could be written outside the intended unpack location. The issue was identified in the TarFileTree.java component where the safeEntryName method returned entry names without validation. The vulnerability has received a CVSS v3.1 base score of 8.1 (HIGH) from NVD, with a vector string of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability can lead to two primary security impacts: arbitrary file write and information disclosure. When unpacking Tar archives, attackers could potentially overwrite important files anywhere the Gradle process has write permissions. For builds reading Tar entries, the vulnerability could allow disclosure of sensitive information through arbitrary file read. The vulnerability is particularly concerning for Gradle's Build Cache feature, where a compromised remote build cache server could inject malicious build cache entries (GitHub Advisory).

The primary mitigation is to upgrade to Gradle version 7.6.2 or 8.2 and above, where the software will refuse to handle Tar archives containing path traversal elements in entry names. For users unable to upgrade immediately, there are no direct workarounds. However, it is recommended to inspect any Tar archives that are not fully trusted and ensure that only trusted parties have write access to the Gradle remote build cache with properly secured connections (GitHub Advisory).

The vulnerability has received attention from major organizations, with NetApp issuing a security advisory (NTAP-20230803-0007) to assess the impact on their products. The security community has classified this as a variant of the known ZipSlip vulnerability pattern, highlighting the ongoing challenges with archive file handling in build tools (NetApp Advisory).