Potential remote-code-execution and denial-of-service via zlib dependency
Affected product(s)
- Gradle Enterprise < 2022.2
- Gradle Enterprise Test Distribution Agent Image < 1.6.8
- Gradle Enterprise Build Cache Node Image < 12.2
- Gradle Admin CLI Image < 1.3
Severity
Low
Published at
2022-04-19
Related CVE ID(s)
Description
The zlib compression library, used by several Gradle Enterprise components, contains a memory corruption bug that can potentially lead to denial-of-service (DoS) or remote code execution (RCE) when compressing maliciously crafted data.
The likelihood of exploiting this vulnerability as part of Gradle Enterprise is low because users cannot influence the compressed data directly; they can only control it indirectly.
The zlib library is a system library included in the container image of various Gradle Enterprise components. Updated versions of these components update this library to version 1.2.12, fixing the root cause bug.
Mitigation
Users should update to the latest version of Gradle Enterprise, or any Gradle-supplied container image.