CVE-2023-44387: 
Gradle vulnerability analysis and mitigation

Gradle, a build tool focused on build automation and multi-language development support, was found to have a security vulnerability identified as CVE-2023-44387. When copying or archiving symlinked files, Gradle resolves them but incorrectly applies the permissions of the symlink itself instead of the permissions of the linked file to the resulting file. This vulnerability affects Gradle versions prior to 7.6.3 and versions from 8.0.0 up to (excluding) 8.4.0. The issue was disclosed and patched in October 2023 (Gradle Advisory).

The vulnerability stems from Gradle's file handling mechanism where it fails to preserve symbolic links during copy or archive operations. Instead of maintaining the permissions of the target file, it applies the permissions of the symbolic link, which are typically world-readable and writeable. The vulnerability has been assigned a CVSS v3.1 base score of 3.2 LOW, with a vector string of CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N, indicating local access is required for exploitation (Gradle Advisory).

The incorrect permission assignment could lead to files having excessive permissions, as symlinks are usually world-readable and writeable. While this may not directly impact the build process, it could potentially create security vulnerabilities depending on where build artifacts are copied to or un-archived. The primary security concern is the potential exposure of sensitive information through incorrectly assigned file permissions (Gradle Advisory, NetApp Advisory).

The vulnerability has been fixed in Gradle versions 7.6.3 and 8.4.0, where the permissions of the target file will now be properly used when copying or archiving a symbolic link. For users unable to upgrade, it is recommended to explicitly set permissions for any symbolic links when copying or creating an archive (Gradle Advisory, Gradle Release).

The vulnerability was discovered by MartinHolland and has been acknowledged in various security advisories. Multiple organizations, including NetApp, have issued security advisories to their customers regarding this vulnerability. The issue was addressed promptly with the release of patched versions, demonstrating Gradle's commitment to security (NetApp Advisory, Gradle Release).