CVE-2023-30853 – A vulnerability in Gradle Build Action versions... (How to Fix)

Q: What is the severity of CVE-2023-30853?

CVE-2023-30853 has a CVSS score of 7.6 (HIGH). A vulnerability in Gradle Build Action versions prior to 2.4.2 exposes GitHub Actions secrets when the Gradle configuration cache is enabled. Secrets stored as environment variables can be persisted in GitHub Actions cache entries, which could be read by workflows running in untrusted contexts like pull requests from forks. This affects GitHub users who use Gradle Build Action with configuration cache enabled.

📋 TL;DR

A vulnerability in Gradle Build Action versions prior to 2.4.2 exposes GitHub Actions secrets when the Gradle configuration cache is enabled. Secrets stored as environment variables can be persisted in GitHub Actions cache entries, which could be read by workflows running in untrusted contexts like pull requests from forks. This affects GitHub users who use Gradle Build Action with configuration cache enabled.

💻 Affected Systems

Products:

Gradle Build Action

Versions: Versions prior to 2.4.2

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when Gradle configuration cache is enabled. GitHub Actions workflows using the affected action are impacted.

📦 What is this software?

Build Action by Gradle

View all CVEs affecting Build Action →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Repository secrets (API keys, tokens, credentials) are exfiltrated by malicious pull requests, leading to unauthorized access to connected systems, data breaches, or infrastructure compromise.

🟠

Likely Case

Secrets exposed in cache entries could be read by workflows from untrusted pull requests, potentially compromising repository-specific credentials.

🟢

If Mitigated

With proper controls (PR workflow approval, cache inspection), risk is limited to potential exposure of secrets that can be rotated.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to submit pull requests with malicious workflow changes. No evidence of exploitation in wild.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.2

Vendor Advisory: https://github.com/gradle/gradle-build-action/security/advisories/GHSA-h3qr-39j9-4r5v

Restart Required: No

Instructions:

1. Update GitHub Actions workflow to use 'gradle/gradle-build-action@v2.4.2' or newer. 2. Delete existing cache entries matching 'configuration-cache-*' pattern. 3. Rotate potentially exposed secrets.

🔧 Temporary Workarounds

Disable configuration cache

all

Add --no-configuration-cache argument to Gradle commands in workflow

./gradlew --no-configuration-cache build

Avoid configuration cache entirely

all

Do not enable Gradle configuration cache feature

🧯 If You Can't Patch

Delete all GitHub Actions cache entries matching 'configuration-cache-*' pattern
Require manual approval for all PR workflows, especially from external contributors
Rotate all repository secrets that may have been exposed

🔍 How to Verify

Check if Vulnerable:

Check if using gradle-build-action version <2.4.2 with configuration cache enabled in GitHub Actions workflow

Check Version:

Check GitHub Actions workflow YAML for 'gradle/gradle-build-action@' reference

Verify Fix Applied:

Confirm workflow uses gradle-build-action@v2.4.2+ and no cache entries match 'configuration-cache-*'

📡 Detection & Monitoring

Log Indicators:

Pull requests attempting to read .gradle directories or Gradle User Home
Workflow changes that extract data from cache

Network Indicators:

Unusual outbound connections from GitHub Actions runners

SIEM Query:

GitHub audit logs showing cache access patterns or PR workflow executions

📊 Metadata

CVE ID: CVE-2023-30853

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

CWE: CWE-200

Published: April 28, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/gradle/gradle-build-action/releases/tag/v2.4.2 Release Notes
https://github.com/gradle/gradle-build-action/security/advisories/GHSA-h3qr-39j9-4r5v Vendor Advisory
https://github.com/gradle/gradle-build-action/releases/tag/v2.4.2 Release Notes
https://github.com/gradle/gradle-build-action/security/advisories/GHSA-h3qr-39j9-4r5v Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-30853, you might also want to check these: