All advisories

Potential compromise of build or agent environment by test distribution agent or client imposter

Affected product(s)

  • gradle/gradle-enterprise-test-distribution-agent < 1.3.2 from Docker Hub
  • com.gradle.enterprise:test-distribution-gradle-plugin < 1.3.2 from Gradle Plugin Portal
  • com.gradle:gradle-enterprise-maven-extension >= 1.8 and < 1.8.2 from Maven Central

Severity

High

Related CVE ID(s)

Description

Gradle Enterprise Distributed Testing transfers files from the build client to the test execution agent, and vice-versa, as TAR archives. The unpacking of such archives is susceptible to a “Zip Slip” vulnerability, where a maliciously crafted archive could create or overwrite arbitrary files on the local file system when being unpacked.

A malicious actor with network access, and test distribution agent registration credentials, could register an alternative agent implementation to send such a crafted archive file to the build site.

A malicious actor with network access, and test distribution usage credentials, could register an alternative client implementation to send such a crafted archive file to the test execution site.

Test distribution agent version 1.3.2, Gradle plugin 1.3.2, and Maven extension 1.8.2 mitigate this vulnerability by refusing to unpack archive entries containing upward path traversal segments or file system links.

Mitigation

Upgrade to Test distribution agent version 1.3.2, Gradle plugin 1.3.2, and Maven extension 1.8.2.