Security Vulnerability in Asset-Pipeline and Jetty
September 23, 2018
Asset-pipeline has been the default plugin for handling static assets in a Grails® web application since Grails 2.4.0. A security vulnerability that involves asset-pipeline and Jetty has been identified.
The vulnerability affects all asset-pipeline users that deploy Grails applications in Jetty, and it allows directory traversal and download any file knowing its specific directory.
Reproducing The Issue
- Create a new grails application:
grails create-app foo
- Build a war file:
- Deploy to Jetty
- Send the following request to download Application.class
wget localhost:8080/foo-0.1/assets/..%5c%5cfoo%5cApplication.class -O Application.class
- It is also possible to download any any arbitrary file if the path is known. For example to download
curl -v localhost:8080/foo-0.1/assets/..%5capplication.yml.
Fixing The Issue
The vulnerability has been addressed in recent versions of the asset-pipeline plugin:
- 126.96.36.199 for Grails 2.x
- 2.15.1 for Grails 3 and Java 7
- 3.0.6 for Grails 3 and Java 8