CVE-2022-23630: Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, Gradle may skip that verification a...

Description

Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, Gradle may skip that verification and accept a dependency that would otherwise fail the build as an untrusted external artifact. This occurs when dependency verification is disabled on one or more configurations and those configurations have common dependencies with other configurations that have dependency verification enabled. If the configuration that has dependency verification disabled is resolved first, Gradle does not verify the common dependencies for the configuration that has dependency verification enabled. Gradle 7.4 fixes that issue by validating artifacts at least once if they are present in a resolved configuration that has dependency verification active. For users who cannot update either do not use `ResolutionStrategy.disableDependencyVerification()` and do not use plugins that use that method to disable dependency verification for a single configuration or make sure resolution of configuration that disable that feature do not happen in builds that resolve configuration where the feature is enabled.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

1.30%

66.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-829

Affected Software

Vendor	Product	Versions
Gradle	Gradle	>= 6.2.0, <= 7.3.3

References

https://docs.gradle.org/7.4/release-notes.htmlRelease Notes, Vendor Advisory
https://github.com/gradle/gradle/commit/88ab9b652933bc3b2e3161b31ad8b8f4f0516351Patch, Third Party Advisory
https://github.com/gradle/gradle/security/advisories/GHSA-9pf5-88jw-3qgrMitigation, Third Party Advisory
https://docs.gradle.org/7.4/release-notes.htmlRelease Notes, Vendor Advisory
https://github.com/gradle/gradle/commit/88ab9b652933bc3b2e3161b31ad8b8f4f0516351Patch, Third Party Advisory
https://github.com/gradle/gradle/security/advisories/GHSA-9pf5-88jw-3qgrMitigation, Third Party Advisory

Timeline

Published: Feb 10, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-23630?

Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, Gradle may skip that verification and accept a dependency that would otherwise fail the build as an untrusted external artifact. This occurs when dependency verification is disabled on one or more configurations and those configurations have common dependencies with other configurations that have dependency verification enabled. If the configuration that has dependency verification disabled is resolved first, Gradle does not verify the common dependencies for the configuration that has dependency verification enabled. Gradle 7.4 fixes that issue by validating artifacts at least once if they are present in a resolved configuration that has dependency verification active. For users who cannot update either do not use `ResolutionStrategy.disableDependencyVerification()` and do not use plugins that use that method to disable dependency verification for a single configuration or make sure resolution of configuration that disable that feature do not happen in builds that resolve configuration where the feature is enabled.

How severe is CVE-2022-23630?

CVE-2022-23630 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 1.30% probability of exploitation in the next 30 days.

How do I fix CVE-2022-23630?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.