Gradle Build Action data written to GitHub Actions Cache may expose secrets

CVE-2023-30853

What is CVE-2023-30853?

A vulnerability exists in the Gradle Build Action for GitHub Actions that could lead to the unintended persistence of sensitive secrets in the GitHub Actions cache. This issue affects workflows using Gradle Build Action versions prior to 2.4.2, particularly those that have executed the Gradle Build Tool with configuration caching enabled. When secrets are passed to the Gradle Build Tool via environment variables, they might inadvertently be stored in the cache due to how the tool records these variables. This data may then be accessible to workflows running in untrusted contexts, such as Pull Requests from forked repositories. Although no evidence of exploitation has been found, it is advisable for users to upgrade to the latest version, remove any vulnerable cache entries, and consider rotating potentially compromised secrets to maintain repository security.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References