CVE-2023-44387

Name: CVE-2023-44387
Creator: NVD / NIST
Published: 2023-10-05T18:15:12.787+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.5/10EPSS 0.21%

Last modified Jun 17, 2026

CVE-2023-44387 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. Gradle is a build tool with a focus on build automation and support for multi-language development. When copying or archiving symlinked files, Gradle resolves them but applies the permissions of the symlink itself instead of the permissions of the linked file to the resulting file. EPSS estimates a 0.21% chance of exploitation in the next 30 days.

Description

Gradle is a build tool with a focus on build automation and support for multi-language development. When copying or archiving symlinked files, Gradle resolves them but applies the permissions of the symlink itself instead of the permissions of the linked file to the resulting file. This leads to files having too much permissions given that symlinks usually are world readable and writeable. While it is unlikely this results in a direct vulnerability for the impacted build, it may open up attack vectors depending on where build artifacts end up being copied to or un-archived. In versions 7.6.3, 8.4 and above, Gradle will now properly use the permissions of the file pointed at by the symlink to set permissions of the copied or archived file.

Metrics

CVSS 3.1

6.5/10

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

EPSS Probability

0.21%

11.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-732

Affected Software

Vendor	Product	Versions
Gradle	Gradle	< 7.6.3
Gradle	Gradle	>= 8.0.0, < 8.4.0

References

https://github.com/gradle/gradle/commit/3b406191e24d69e7e42dc3f3b5cc50625aa930b7Patch
https://github.com/gradle/gradle/releases/tag/v7.6.3Release Notes
https://github.com/gradle/gradle/releases/tag/v8.4.0Release Notes
https://github.com/gradle/gradle/security/advisories/GHSA-43r3-pqhv-f7h9Vendor Advisory
https://security.netapp.com/advisory/ntap-20231110-0006/Third Party Advisory
https://github.com/gradle/gradle/commit/3b406191e24d69e7e42dc3f3b5cc50625aa930b7Patch
https://github.com/gradle/gradle/releases/tag/v7.6.3Release Notes
https://github.com/gradle/gradle/releases/tag/v8.4.0Release Notes
https://github.com/gradle/gradle/security/advisories/GHSA-43r3-pqhv-f7h9Vendor Advisory
https://security.netapp.com/advisory/ntap-20231110-0006/Third Party Advisory

Timeline

Published: Oct 5, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-44387?

How severe is CVE-2023-44387?

CVE-2023-44387 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 0.21% probability of exploitation in the next 30 days.

How do I fix CVE-2023-44387?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-44387?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST