CVE-2014-3626

Name of the Vulnerable Software and Affected Versions Grails Resource Plugin versions prior to 1.2.13

Description A double decoding vulnerability exists due to a bug where the Grails Resource Plugin returns the decoded version of the URI rather than the normalized version after the directory traversal check. This issue can lead to directory traversal attacks. The vulnerability is exposed in certain environments, specifically when deployed to JBoss EAP 6.3, JBoss AS 7.4, and JBoss AS 7.1, due to differences in URL resolving in different servlet containers. The JBoss vfs URL protocol supports resolving any file on the filesystem, making directory traversal possible. Other containers may also be affected.

Recommendations For Grails Resource Plugin versions prior to 1.2.13, update to version 1.2.13 or later to address the double decoding vulnerability. As a temporary workaround, consider restricting access to resources that include a '%' character in the full path to minimize the risk of exploitation. Additionally, applications deployed to vulnerable containers like JBoss should be updated to a non-vulnerable version of the Grails Resource Plugin to prevent directory traversal attacks.