logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2020-7647 io.jooby:jooby

Package

Manager: maven
Name: io.jooby:jooby
Vulnerable Version: >=0 <2.8.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00264 pctl0.49672

Details

path traversal in Jooby ### Impact Access to sensitive information available from classpath. ### Patches Patched version: 1.6.7 and 2.8.2 Commit 1.x: https://github.com/jooby-project/jooby/commit/34f526028e6cd0652125baa33936ffb6a8a4a009 Commit 2.x: https://github.com/jooby-project/jooby/commit/c81479de67036993f406ccdec23990b44b0bec32 ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ ### References Latest 1.x version: 1.6.6 #### Arbitrary class path resource access 1 When sharing a *File System* directory as in: ``` java assets("/static/**", Paths.get("static")); ``` The class path is also searched for the file (`org.jooby.handlers.AssetHandler.loader`): [jooby/AssetHandler.java at 1.x · jooby-project/jooby · GitHub](https://github.com/jooby-project/jooby/blob/1.x/jooby/src/main/java/org/jooby/handlers/AssetHandler.java) ``` java private static Loader loader(final Path basedir, final ClassLoader classloader) { if (Files.exists(basedir)) { return name -> { Path path = basedir.resolve(name).normalize(); if (Files.exists(path) && path.startsWith(basedir)) { try { return path.toUri().toURL(); } catch (MalformedURLException x) { // shh } } return classloader.getResource(name); }; } return classloader::getResource; } ``` If we send `/static/WEB-INF/web.xml` it will fail to load it from the file system but will go into `classloader.getResource(name)` where name equals `/WEB-INF/web.xml` so will succeed and return the requested file. This way we can get any configuration file or even the application class files If assets are configured for a certain extension we can still bypass it. eg: ```java assets("/static/**/*.js", Paths.get("static")); ``` We can send: ``` http://localhost:8080/static/io/yiss/App.class.js ``` #### Arbitrary class path resource access 2 This vulnerability also affects assets configured to access resources from the root of the class path. eg: ```java assets("/static/**"); ``` In this case we can traverse `static` by sending: ``` http://localhost:8080/static/..%252fio/yiss/App.class ``` ### For more information If you have any questions or comments about this advisory: * Open an issue in [jooby](https://github.com/jooby-project/jooby/issues) * Email us at [support@jooby.io](mailto:support@jooby.io)

Metadata

Created: 2020-05-13T16:29:26Z
Modified: 2021-08-25T21:08:32Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-px9h-x66r-8mpc/GHSA-px9h-x66r-8mpc.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-px9h-x66r-8mpc
Finding: F063
Auto approve: 1