All advisories

Libraries vulnerable to Spring4Shell are distributed with Gradle Enterprise

Affected product(s)

  • Gradle Enterprise < 2022.1.1 (for CVE-2022-22965)
  • Gradle Enterprise < 2022.2 (for CVE-2022-22968)

Severity

Low

Published at

2022-04-04 (last updated on 2022-04-19)

Related CVE ID(s)

Description

The Spring4Shell vulnerability allows remote code execution (RCE) for applications. A related vulnerability was subsequently discovered that is of a similar nature but involves different Spring components.

Gradle Enterprise < 2022.2 includes Spring platform libraries that contain the vulnerabilities. However, its usage of the libraries does not meet the preconditions for exposing the vulnerabilities.

To avoid creating false positives when scanning the the Gradle Enterprise distribution for known vulnerabilities, version 2022.1.1 updates Spring components to version 5.3.18 in order to address CVE-2022-22965, while version 2022.2 updates Spring components to version 5.3.19 in order to address CVE-2022-22968.

Mitigation

Gradle Enterprise is not vulnerable to the Spring4Shell vulnerabilities, so no mitigation is necessary to avoid exploitation. Users wanting to prevent the presence of vulnerable libraries regardless should upgrade to Gradle Enterprise 2022.2.