Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, Gradle may skip that verification and accept a dependency that would otherwise fail the build as an untrusted external artifact. This occurs when dependency verification is disabled on one or more configurations and those configurations have common dependencies with other configurations that have dependency verification enabled. If the configuration that has dependency verification disabled is resolved first, Gradle does not verify the common dependencies for the configuration that has dependency verification enabled. Gradle 7.4 fixes that issue by validating artifacts at least once if they are present in a resolved configuration that has dependency verification active. For users who cannot update either do not use `ResolutionStrategy.disableDependencyVerification()` and do not use plugins that use that method to disable dependency verification for a single configuration or make sure resolution of configuration that disable that feature do not happen in builds that resolve configuration where the feature is enabled.
総合評価: CVE-2022-23630 は中リスク(54/100)。CVSS 深刻度は高。悪用される可能性が高い(EPSS 1.30%、67 パーセンタイル) 推奨対応: 影響資産を整理し、修補計画に組み込んでください。
リスクは変動します。再評価に基づき、本ページの表示内容を更新しています。
EPSS は日次で悪用されやすさの相対度合いを推定します。パーセンタイルは採点済み CVE の中での相対位置(高いほど相対的に深刻)を示します。
| # | 日付 | 旧 EPSS スコア | 新 EPSS スコア | Δ(新 − 旧) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.61% | 1.30% | +0.69% |
| 2 | 2025-03-30 | 1.92% | 0.61% | -1.31% |
| 3 | 2025-03-29 | — | 1.92% | — |
EPSS の全履歴 (全 8 件)
この CVE の CVSS 指標。
| ベーススコア | バージョン | 深刻度 | ベクトル | 悪用しやすさ | 影響 | スコアの出典 |
|---|---|---|---|---|---|---|
| 7.5 | 3.1 | HIGH |
|
1.6 | 5.9 | [email protected] |
| 7.5 | 3.1 | HIGH |
|
1.6 | 5.9 | [email protected] |
| 6.0 | 2.0 | MEDIUM |
|
6.8 | 6.4 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
high | CVE-2022-23630: 1 source package rows (gradle); 4 state rows across 2 repos (3.22-community, edge-community); fixed 0, open 4. | https://security.alpinelinux.org/vuln/CVE-2022-23630 |
debian
|
unimportant | CVE-2022-23630 unimportant priority: Debian including 1 source packages (gradle), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2022-23630 |
suse
|
medium | CVE-2022-23630 severity moderate: SUSE including 1 source package names (gradle), 12 product×package rows across 12 product lines (SUSE Enterprise Storage 7, SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS, … (12 product lines)): Known Not Affected 12. | https://www.suse.com/security/cve/CVE-2022-23630/ |
ubuntu
|
medium | CVE-2022-23630 medium priority: Ubuntu including 1 source packages (gradle), 14 status rows across 14 suites (bionic, focal, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): ignored 7, needs-triage 7. | https://ubuntu.com/security/CVE-2022-23630 |
| URL | タグ |
|---|---|
| https://docs.gradle.org/7.4/release-notes.html | Release Notes Vendor Advisory |
| https://github.com/gradle/gradle/commit/88ab9b652933bc3b2e3161b31ad8b8f4f0516351 | Patch Third Party Advisory |
| https://github.com/gradle/gradle/security/advisories/GHSA-9pf5-88jw-3qgr | Mitigation Third Party Advisory |