CVE-2021-32751
📋 TL;DR
CVE-2021-32751 allows arbitrary code execution when attackers can manipulate environment variables for users running vulnerable Gradle start scripts or gradlew scripts. This affects users of Gradle on Unix-like systems who use the application plugin's generated scripts or gradlew. The vulnerability stems from unsafe use of eval in bash scripts.
💻 Affected Systems
- Gradle
📦 What is this software?
Gradle by Gradle
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining the same privileges as the user running the vulnerable script, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Limited code execution within the context of the build process, potentially compromising build artifacts, injecting malicious code into applications, or stealing credentials from build environments.
If Mitigated
No impact if environment variables are properly secured or scripts are patched/upgraded.
🎯 Exploit Status
Exploitation requires ability to set environment variables for the target user, which typically requires some level of access or privilege escalation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Gradle 7.2
Vendor Advisory: https://github.com/gradle/gradle/security/advisories/GHSA-6j2p-252f-7mw8
Restart Required: No
Instructions:
1. Upgrade Gradle to version 7.2 or later. 2. For existing projects, update gradle-wrapper.properties to use distributionUrl=https\://services.gradle.org/distributions/gradle-7.2-all.zip. 3. Run ./gradlew wrapper to update the wrapper script.
🔧 Temporary Workarounds
Generate new gradlew script with Gradle 7.2
linuxCreate a new gradlew script using Gradle 7.2 and use it with older Gradle versions
gradle wrapper --gradle-version 7.2
./gradlew wrapper
Secure environment variables
allPrevent untrusted users from modifying environment variables of users executing gradlew or start scripts
Review and restrict environment variable permissions in CI/CD systems and multi-user environments
🧯 If You Can't Patch
- Manually patch start scripts to remove eval usage or hardcode values instead of using environment variables
- Run applications directly with java command instead of using generated start scripts for simple applications
🔍 How to Verify
Check if Vulnerable:
Check Gradle version with: ./gradlew --version | grep Gradle. If version is below 7.2, check if start scripts or gradlew use eval with environment variables.Check Version:
./gradlew --version | grep GradleVerify Fix Applied:
Verify Gradle version is 7.2 or higher: ./gradlew --version | grep 'Gradle 7\.2' or higher. Check that gradlew script doesn't contain unsafe eval usage.📡 Detection & Monitoring
Log Indicators:
- Unexpected command execution in build logs
- Suspicious environment variable modifications in system logs
- Failed or abnormal gradlew execution attempts
Network Indicators:
- Unusual outbound connections from build systems during gradle execution
SIEM Query:
process_name:"gradlew" OR process_name:"gradle" AND command_line:"eval" OR command_line:environment variable manipulation patterns🔗 References
- https://github.com/gradle/gradle/security/advisories/GHSA-6j2p-252f-7mw8
- https://medium.com/dot-debug/the-perils-of-bash-eval-cc5f9e309cae
- https://mywiki.wooledge.org/BashFAQ/048
- https://github.com/gradle/gradle/security/advisories/GHSA-6j2p-252f-7mw8
- https://medium.com/dot-debug/the-perils-of-bash-eval-cc5f9e309cae
- https://mywiki.wooledge.org/BashFAQ/048
