Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
osvGoogleOSV:GHSA-PX9H-X66R-8MPC
HistoryMay 13, 2020 - 4:29 p.m.

path traversal in Jooby

2020-05-1316:29:26
Google
osv.dev
5

0.002 Low

EPSS

Percentile

61.0%

JSON

Impact

Access to sensitive information available from classpath.

Patches

Patched version: 1.6.7 and 2.8.2

Commit 1.x: https://github.com/jooby-project/jooby/commit/34f526028e6cd0652125baa33936ffb6a8a4a009

Commit 2.x: https://github.com/jooby-project/jooby/commit/c81479de67036993f406ccdec23990b44b0bec32

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

References

Latest 1.x version: 1.6.6

Arbitrary class path resource access 1

When sharing a File System directory as in:

assets("/static/**", Paths.get("static"));

The class path is also searched for the file (org.jooby.handlers.AssetHandler.loader):
jooby/AssetHandler.java at 1.x ยท jooby-project/jooby ยท GitHub

  private static Loader loader(final Path basedir, final ClassLoader classloader) {
    if (Files.exists(basedir)) {
      return name -> {
        Path path = basedir.resolve(name).normalize();
        if (Files.exists(path) && path.startsWith(basedir)) {
          try {
            return path.toUri().toURL();
          } catch (MalformedURLException x) {
            // shh
          }
        }
        return classloader.getResource(name);
      };
    }
    return classloader::getResource;
  }

If we send /static/WEB-INF/web.xml it will fail to load it from the file system but will go into classloader.getResource(name) where name equals /WEB-INF/web.xml so will succeed and return the requested file. This way we can get any configuration file or even the application class files

If assets are configured for a certain extension we can still bypass it. eg:

assets("/static/**/*.js", Paths.get("static"));

We can send:

http://localhost:8080/static/io/yiss/App.class.js

Arbitrary class path resource access 2

This vulnerability also affects assets configured to access resources from the root of the class path. eg:

assets("/static/**");

In this case we can traverse static by sending:

http://localhost:8080/static/..%252fio/yiss/App.class

For more information

If you have any questions or comments about this advisory:

Related

cvelist 1
osv 1
cve 1
prion 1
veracode 1
nvd 1
github 1
cvelist
cvelist
CVE-2020-7647
2020-05-11 19:30:18
osv
osv
CVE-2020-7647
2020-05-11 20:15:12
cve
cve
CVE-2020-7647
2020-05-11 20:15:12
prion
prion
Directory traversal
2020-05-11 20:15:00
veracode
veracode
Directory Traversal
2020-05-12 03:33:08
nvd
nvd
CVE-2020-7647
2020-05-11 20:15:12
github
github
path traversal in Jooby
2020-05-13 16:29:26

0.002 Low

EPSS

Percentile

61.0%

JSON
Related for OSV:GHSA-PX9H-X66R-8MPC
cvelist1osv1cve1prion1veracode1nvd1github1