CVE-2018-17605

Name of the Vulnerable Software and Affected Versions Grails Asset Pipeline plugin versions prior to 3.0.4

Description An issue was discovered that allows an attacker to perform directory traversal via a crafted request when a servlet-based application is executed in Jetty. This is due to a classloader vulnerability that can allow a reverse file traversal route in AssetPipelineFilter.groovy or AssetPipelineFilterCore.groovy.

Recommendations For Grails Asset Pipeline plugin versions prior to 3.0.4, update to version 3.0.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the AssetPipelineFilter.groovy and AssetPipelineFilterCore.groovy files to minimize the risk of exploitation.