gravitee-gateway-core is vulnerable to path traversal. The vulnerability exists due to the lack of dynamic routing checks in the selectUserDefinedEndpoint
function of TargetEndpointResolver.java
, allowing an attacker to read arbitrary files outside the expected directory via a /management/users/register
request.
github.com/gravitee-io/gravitee-api-management
github.com/gravitee-io/gravitee-api-management/commit/d5a8e52654a849a2cf42946326075805b3590157
github.com/gravitee-io/gravitee-api-management/pull/409
github.com/gravitee-io/issues/issues/2243
medium.com/@maxime.escourbiac/write-up-of-path-traversal-on-gravitee-io-8835941be69f