447 – Supply Chain Attack - Gradle
Description
The declaration in the property files does not guarantee the integrity of the gradle wrapper which may compromise the compilation which in turn may be affected by malicious code that may be hidden in the compromised third party code.
Impact
Override dependencies or component with malicious content.
Recommendation
Do not use gradle wrapper from an arbitrary project you have obtained from GitHub or elsewhere on the Internet. Remove it or replace it with a locally generated container. Add the distributionSha256Sum attribute with the SHA-256 checksum corresponding to the distribution referenced in the distributionUrl attribute.
Threat
Anonymous attacker from Internet with write access to the provider releases.
Expected Remediation Time
Score 4.0
Default score using CVSS 4.0. It may change depending on the context of the src.
Base 4.0
- Attack vector: N
- Attack complexity: H
- Attack Requirements: P
- Privileges required: N
- User interaction: A
- Confidentiality (VC): N
- Integrity (VI): L
- Availability (VA): N
- Confidentiality (SC): N
- Integrity (SI): N
- Availability (SA): N
Threat 4.0
- Exploit maturity: U