CVE-2023-42445: 
Gradle vulnerability analysis and mitigation

Gradle, a build automation tool, was found to have a vulnerability (CVE-2023-42445) where XML external entities resolution was not disabled in certain XML parsing operations. The vulnerability was discovered and disclosed in October 2023, affecting Gradle versions prior to 7.6.3 and 8.4. This security issue impacts various XML parsing functionalities within Gradle, particularly when handling Ivy XML descriptors and Maven POM files from remote repositories (GitHub Advisory, NVD).

The vulnerability is classified as an XML External Entity (XXE) issue (CWE-611). It received a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N. The issue specifically occurs when Gradle parses XML files without disabling the resolution of XML external entities. When combined with an Out Of Band XXE attack (OOB-XXE), this vulnerability could lead to the exfiltration of local text files to a remote server (GitHub Advisory, NVD).

The primary impact of this vulnerability is the potential disclosure of sensitive information through file exfiltration. Among various use cases, Ivy descriptor parsing is particularly vulnerable and exploitable remotely. Other impacted functionalities include Maven Toolchains discovery, generation of Ivy and Maven metadata for publishing, EAR deployment descriptor parsing, and various IDE file generation tasks (GitHub Advisory).

The vulnerability has been patched in Gradle versions 7.6.3 and 8.4, where XML external entities resolution has been disabled for all use cases. For users unable to upgrade, a workaround is available by setting JAXP system properties: -Djavax.xml.accessExternalDTD=false, -Djavax.xml.accessExternalSchema=false, and -Djavax.xml.accessExternalStylesheet=false. These can be made persistent in the gradle.properties file (GitHub Advisory).