All advisories

Potential remote-code-execution and denial-of-service via zlib dependency

Affected product(s)

  • Gradle Enterprise < 2022.2
  • Gradle Enterprise Test Distribution Agent Image < 1.6.8
  • Gradle Enterprise Build Cache Node Image < 12.2
  • Gradle Admin CLI Image < 1.3

Severity

Low

Published at

2022-04-19

Related CVE ID(s)

Description

The zlib compression library, used by several Gradle Enterprise components, contains a memory corruption bug that can potentially lead to denial-of-service (DoS) or remote code execution (RCE) when compressing maliciously crafted data.

The likelihood of exploiting this vulnerability as part of Gradle Enterprise is low because users cannot influence the compressed data directly; they can only control it indirectly.

The zlib library is a system library included in the container image of various Gradle Enterprise components. Updated versions of these components update this library to version 1.2.12, fixing the root cause bug.

Mitigation

Users should update to the latest version of Gradle Enterprise, or any Gradle-supplied container image.