CVE-2018-1000817 – org.grails.plugins:asset-pipeline

Package

Manager: maven
Name: org.grails.plugins:asset-pipeline
Vulnerable Version: >=0 <2.14.1 || =2.15.0 || >=2.15.0 <2.15.1 || >=3.0.0 <3.0.6

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00571 pctl0.6768

Details

Asset Pipeline Grails Plugin vulnerable to Path Traversal Asset Pipeline Grails Plugin Asset-pipeline plugin version Prior to 2.14.1.1, 2.15.1 and 3.0.6 contains a Incorrect Access Control vulnerability in Applications deployed in Jetty that can result in Download .class files and any arbitrary file. This attack appear to be exploitable via Specially crafted GET request containing directory traversal from assets-pipeline context. This vulnerability appears to have been fixed in 2.14.1.1 (for Grails 2.x), 2.15.1 (for Grails 3 and Java 7) and 3.0.6 (for Grails 3 and Java 8).

Metadata

Created: 2022-05-13T01:48:39Z
Modified: 2022-11-22T19:45:42Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-w73q-mc9g-j56x/GHSA-w73q-mc9g-j56x.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-w73q-mc9g-j56x
Finding: F063
Auto approve: 1