skip to content
Back to GitHub.com
Home Bounties CodeQL Research Advisories Get Involved Events
May 12, 2021

GHSL-2020-337_338: Arbitrary code execution when cloning/checking out a Gradle project - CVE-2021-29263

Alvaro Munoz

Coordinated Disclosure Timeline

Summary

Upon cloning or checking out a Gradle project from an external repository (Get from VCS), both IntelliJ IDEA and Android Studio, run the gradle build task.

Products

Tested Version

Build #IC-203.5981.155, built on November 30, 2020

Build #AI-201.8743.12.41.6953283, built on November 5, 2020

Details

Issue: Code execution when cloning/checking out a repository

When cloning or checking out a repository containing a Gradle project, Android Studio and IntelliJ will try to run the build task immediately without asking for a user confirmation that would give them the opportunity to analyze the build script.

If an attacker fools a developer into cloning or checking out a malicious repository, they will be able to run arbitrary code as part of the repository clone or checkout operation. For example, an attacker could hide a malware dropper using the Gradle’s Exec or try something more stealthy.

apply plugin: 'java'

sourceCompatibility = 1.8
targetCompatibility = 1.8

void checkRequirements(){
    exec {
      executable 'touch'
      args '/tmp/pwned_from_gradle'
    }

}

build{
    checkRequirements();
}

When searching for similar patterns I found the exact same issue being discussed as a malware spread vector which highlights why this issue should be addressed. In addition a similar vulnerability (CVE-2020-17156) was recently fixed in MS Visual Studio.

Impact

Arbitrary Code Execution on repository cloning/checkout.

CVE

Resources

https://blog.jetbrains.com/blog/2021/05/07/jetbrains-security-bulletin-q1-2021/

Credit

This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-337, GHSL-2020-338 in any communication regarding this issue.