Access to sensitive information available from classpath.
Patched version: 1.6.7 and 2.8.2
Commit 1.x: https://github.com/jooby-project/jooby/commit/34f526028e6cd0652125baa33936ffb6a8a4a009
Commit 2.x: https://github.com/jooby-project/jooby/commit/c81479de67036993f406ccdec23990b44b0bec32
Is there a way for users to fix or remediate the vulnerability without upgrading?
Latest 1.x version: 1.6.6
When sharing a File System directory as in:
assets("/static/**", Paths.get("static"));
The class path is also searched for the file (org.jooby.handlers.AssetHandler.loader
):
jooby/AssetHandler.java at 1.x ยท jooby-project/jooby ยท GitHub
private static Loader loader(final Path basedir, final ClassLoader classloader) {
if (Files.exists(basedir)) {
return name -> {
Path path = basedir.resolve(name).normalize();
if (Files.exists(path) && path.startsWith(basedir)) {
try {
return path.toUri().toURL();
} catch (MalformedURLException x) {
// shh
}
}
return classloader.getResource(name);
};
}
return classloader::getResource;
}
If we send /static/WEB-INF/web.xml
it will fail to load it from the file system but will go into classloader.getResource(name)
where name equals /WEB-INF/web.xml
so will succeed and return the requested file. This way we can get any configuration file or even the application class files
If assets are configured for a certain extension we can still bypass it. eg:
assets("/static/**/*.js", Paths.get("static"));
We can send:
http://localhost:8080/static/io/yiss/App.class.js
This vulnerability also affects assets configured to access resources from the root of the class path. eg:
assets("/static/**");
In this case we can traverse static
by sending:
http://localhost:8080/static/..%252fio/yiss/App.class
If you have any questions or comments about this advisory:
github.com/jooby-project/jooby
github.com/jooby-project/jooby/commit/34f526028e6cd0652125baa33936ffb6a8a4a009
github.com/jooby-project/jooby/security/advisories/GHSA-px9h-x66r-8mpc
nvd.nist.gov/vuln/detail/CVE-2020-7647
snyk.io/vuln/SNYK-JAVA-IOJOOBY-568806
snyk.io/vuln/SNYK-JAVA-IOJOOBY-568806,
snyk.io/vuln/SNYK-JAVA-ORGJOOBY-568807
snyk.io/vuln/SNYK-JAVA-ORGJOOBY-568807,