CVE-2020-7647

Name of the Vulnerable Software and Affected Versions io.jooby:jooby versions prior to 1.6.7 org.jooby:jooby versions prior to 1.6.7 io.jooby:jooby versions 2.0.0 through 2.8.2 org.jooby:jooby versions 2.0.0 through 2.8.2

Description The issue allows access to sensitive information available from the classpath via Directory Traversal. This can be achieved through two separate vectors. When sharing a file system directory, the class path is also searched for the file, allowing an attacker to access configuration files or application class files. Additionally, assets configured to access resources from the root of the class path can be traversed, enabling an attacker to access sensitive information.

Recommendations For io.jooby:jooby versions prior to 1.6.7, update to version 1.6.7. For org.jooby:jooby versions prior to 1.6.7, update to version 1.6.7. For io.jooby:jooby versions 2.0.0 through 2.8.2, update to version 2.8.2. For org.jooby:jooby versions 2.0.0 through 2.8.2, update to version 2.8.2. As a temporary workaround, consider restricting access to sensitive information available from the classpath until a patch is available. Avoid using the assets function with file system directories or class path resources until the issue is resolved.