GHSA-px9h-x66r-8mpc

Описание

Impact

Access to sensitive information available from classpath.

Patches

Patched version: 1.6.7 and 2.8.2

Commit 1.x: https://github.com/jooby-project/jooby/commit/34f526028e6cd0652125baa33936ffb6a8a4a009

Commit 2.x: https://github.com/jooby-project/jooby/commit/c81479de67036993f406ccdec23990b44b0bec32

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

References

Latest 1.x version: 1.6.6

Arbitrary class path resource access 1

When sharing a File System directory as in:

The class path is also searched for the file (org.jooby.handlers.AssetHandler.loader): jooby/AssetHandler.java at 1.x · jooby-project/jooby · GitHub

If we send /static/WEB-INF/web.xml it will fail to load it from the file system but will go into classloader.getResource(name) where name equals /WEB-INF/web.xml so will succeed and return the requested file. This way we can get any configuration file or even the application class files

If assets are configured for a certain extension we can still bypass it. eg:

We can send:

Arbitrary class path resource access 2

This vulnerability also affects assets configured to access resources from the root of the class path. eg:

In this case we can traverse static by sending:

For more information

If you have any questions or comments about this advisory:

• Open an issue in jooby
• Email us at support@jooby.io