CVE-2022-23630 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2022-23630 Interim 1 7 2025-02-16T03:10:12Z current 2022-02-18T02:28:30Z 2025-02-16T03:10:12Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2022-23630 Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, Gradle may skip that verification and accept a dependency that would otherwise fail the build as an untrusted external artifact. This occurs when dependency verification is disabled on one or more configurations and those configurations have common dependencies with other configurations that have dependency verification enabled. If the configuration that has dependency verification disabled is resolved first, Gradle does not verify the common dependencies for the configuration that has dependency verification enabled. Gradle 7.4 fixes that issue by validating artifacts at least once if they are present in a resolved configuration that has dependency verification active. For users who cannot update either do not use `ResolutionStrategy.disableDependencyVerification()` and do not use plugins that use that method to disable dependency verification for a single configuration or make sure resolution of configuration that disable that feature do not happen in builds that resolve configuration where the feature is enabled. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Enterprise Storage 7 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise Real Time 15 SP2 SUSE Linux Enterprise Server 15 SP2-LTSS SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Linux Enterprise Server Business Critical Linux 15 SP2 SUSE Linux Enterprise Server for SAP Applications 15 SP2 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Manager Proxy 4.1 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Manager Retail Branch Server 4.1 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP4 SUSE Manager Server 4.1 SUSE Linux Enterprise Module for Development Tools 15 SP3 SUSE Linux Enterprise Module for Development Tools 15 SP4 gradle gradle as a component of SUSE Enterprise Storage 7 gradle as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS gradle as a component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS gradle as a component of SUSE Linux Enterprise Module for Development Tools 15 SP3 gradle as a component of SUSE Linux Enterprise Module for Development Tools 15 SP4 gradle as a component of SUSE Linux Enterprise Real Time 15 SP2 gradle as a component of SUSE Linux Enterprise Server 15 SP2-LTSS gradle as a component of SUSE Linux Enterprise Server Business Critical Linux 15 SP2 gradle as a component of SUSE Linux Enterprise Server for SAP Applications 15 SP2 gradle as a component of SUSE Manager Proxy 4.1 gradle as a component of SUSE Manager Retail Branch Server 4.1 gradle as a component of SUSE Manager Server 4.1 Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, Gradle may skip that verification and accept a dependency that would otherwise fail the build as an untrusted external artifact. This occurs when dependency verification is disabled on one or more configurations and those configurations have common dependencies with other configurations that have dependency verification enabled. If the configuration that has dependency verification disabled is resolved first, Gradle does not verify the common dependencies for the configuration that has dependency verification enabled. Gradle 7.4 fixes that issue by validating artifacts at least once if they are present in a resolved configuration that has dependency verification active. For users who cannot update either do not use `ResolutionStrategy.disableDependencyVerification()` and do not use plugins that use that method to disable dependency verification for a single configuration or make sure resolution of configuration that disable that feature do not happen in builds that resolve configuration where the feature is enabled. CVE-2022-23630 SUSE Enterprise Storage 7:gradle SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS:gradle SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:gradle SUSE Linux Enterprise Module for Development Tools 15 SP3:gradle SUSE Linux Enterprise Module for Development Tools 15 SP4:gradle SUSE Linux Enterprise Real Time 15 SP2:gradle SUSE Linux Enterprise Server 15 SP2-LTSS:gradle SUSE Linux Enterprise Server Business Critical Linux 15 SP2:gradle SUSE Linux Enterprise Server for SAP Applications 15 SP2:gradle SUSE Manager Proxy 4.1:gradle SUSE Manager Retail Branch Server 4.1:gradle SUSE Manager Server 4.1:gradle moderate 6 AV:N/AC:M/Au:S/C:P/I:P/A:P 6.4 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H