Supply Chain Attack - Gradle

Supply Chain Attack - Gradle

Description

The declaration in the property files does not guarantee the integrity of the gradle wrapper which may compromise the compilation which in turn may be affected by malicious code that may be hidden in the compromised third party code.

Impact

Override dependencies or component with malicious content.

Recommendation

Do not use gradle wrapper from an arbitrary project you have obtained from GitHub or elsewhere on the Internet. Remove it or replace it with a locally generated container. Add the distributionSha256Sum attribute with the SHA-256 checksum corresponding to the distribution referenced in the distributionUrl attribute.

Threat

Anonymous attacker from Internet with write access to the provider releases.

Expected Remediation Time

⌚ 15 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the src.

Base

  • Attack vector: N
  • Attack complexity: H
  • Privileges required: N
  • User interaction: R
  • Scope: U
  • Confidentiality: N
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code maturity: U
  • Remediation level: O
  • Report confidence: R

Result

  • Vector string: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:R
  • Score:
    • Base: 3.1
    • Temporal: 2.6
  • Severity:
    • Base: Low
    • Temporal: Low

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

  • Attack vector: N
  • Attack complexity: H
  • Attack Requirements: P
  • Privileges required: N
  • User interaction: A
  • Confidentiality (VC): N
  • Integrity (VI): L
  • Availability (VA): N
  • Confidentiality (SC): N
  • Integrity (SI): N
  • Availability (SA): N

Threat 4.0

  • Exploit maturity: U

Result 4.0

  • Vector string: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
  • Score:
    • CVSS-BT: 0.5
  • Severity:
    • CVSS-BT: Low

Compliant code

                .properties
android.enableJetifier=true
android.useAndroidX=true
# Ejemplo con Gradle 7.0.2
distributionUrl=https\://services.gradle.org/distributions/gradle-7.0.2-bin.zip
distributionSha256Sum=bf8b869948901d422e9bb7d1fa61da6a6e19411baa7ad6ee929073df85d6365d

Non compliant code

                .properties
android.enableJetifier=true
android.useAndroidX=true

Requirements

Fixes

Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.