PT-2018-9541 · Eclipse+1 · Jetty+1

Ricterz

Publicado

2018-12-20

Atualizado

2022-05-13

CVE-2018-1000817

CVSS v3.1

7.5

Alta

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Asset Pipeline Grails Plugin versions prior to 2.14.1.1 Asset Pipeline Grails Plugin versions prior to 2.15.1 Asset Pipeline Grails Plugin versions prior to 3.0.6

Description The issue is related to Incorrect Access Control in Applications deployed in Jetty, which can result in the download of .class files and any arbitrary file. This can be exploited via a specially crafted GET request containing directory traversal from the assets-pipeline context.

Recommendations For versions prior to 2.14.1.1, update to version 2.14.1.1 or later. For versions prior to 2.15.1, update to version 2.15.1 or later. For versions prior to 3.0.6, update to version 3.0.6 or later.

Exploit

Correção

Path traversal

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-22

Identificadores relacionados

CVE-2018-1000817

GHSA-W73Q-MC9G-J56X

Produtos afetados

Grails Asset Pipeline Plugin

Jetty

PT-2018-9541 · Eclipse+1 · Jetty+1

CVE-2018-1000817

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 5