Libraries vulnerable to Spring4Shell are distributed with Gradle Enterprise
Affected product(s)
- Gradle Enterprise < 2022.1.1 (for CVE-2022-22965)
- Gradle Enterprise < 2022.2 (for CVE-2022-22968)
Severity
Low
Published at
2022-04-04 (last updated on 2022-04-19)
Related CVE ID(s)
Description
The Spring4Shell vulnerability allows remote code execution (RCE) for applications. A related vulnerability was subsequently discovered that is of a similar nature but involves different Spring components.
Gradle Enterprise < 2022.2 includes Spring platform libraries that contain the vulnerabilities. However, its usage of the libraries does not meet the preconditions for exposing the vulnerabilities.
To avoid creating false positives when scanning the the Gradle Enterprise distribution for known vulnerabilities, version 2022.1.1 updates Spring components to version 5.3.18 in order to address CVE-2022-22965, while version 2022.2 updates Spring components to version 5.3.19 in order to address CVE-2022-22968.
Mitigation
Gradle Enterprise is not vulnerable to the Spring4Shell vulnerabilities, so no mitigation is necessary to avoid exploitation. Users wanting to prevent the presence of vulnerable libraries regardless should upgrade to Gradle Enterprise 2022.2.