GHSA-53jx-vvf9-4x38

Source

https://github.com/advisories/GHSA-53jx-vvf9-4x38

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-53jx-vvf9-4x38/GHSA-53jx-vvf9-4x38.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-53jx-vvf9-4x38

Aliases

CVE-2023-24815

Related

CVE-2023-24815

Published

2023-02-10T03:27:58Z

Modified

2023-11-08T04:11:48.822029Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

StaticHandler disclosure of classpath resources on Windows when mounted on a wildcard route

Details

Summary

When running vertx web applications that serve files using StaticHandler on Windows Operating Systems and Windows File Systems, if the mount point is a wildcard (*) then an attacker can exfiltrate any class path resource.

Details

When computing the relative path to locate the resource, in case of wildcards, the code:

https://github.com/vert-x3/vertx-web/blob/62c0d66fa1c179ae6a4d57344631679a2b97e60f/vertx-web/src/main/java/io/vertx/ext/web/impl/Utils.java#L83

returns the user input (without validation) as the segment to lookup. Even though checks are performed to avoid escaping the sandbox, given that the input was not sanitized \ are not properly handled and an attacker can build a path that is valid within the classpath.

PoC

https://github.com/adrien-aubert-drovio/vertx-statichandler-windows-traversal-path-vulnerability

Database specific

{
    "github_reviewed_at": "2023-02-10T03:27:58Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "github_reviewed": true,
    "severity": "MODERATE",
    "nvd_published_at": "2023-02-09T18:15:00Z"
}

References

Affected packages

Maven / io.vertx:vertx-web

Package

Name: io.vertx:vertx-web; View open source insights on deps.dev
Purl: pkg:maven/io.vertx/vertx-web

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.3.8

Affected versions

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.1.0.Beta1

4.1.0.CR1

4.1.0.CR2

4.1.0

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6

4.1.7

4.1.8

4.2.0.Beta1

4.2.0.CR1

4.2.0

4.2.1

4.2.2

4.2.3

4.2.4

4.2.5

4.2.6

4.2.7

4.3.0

4.3.1

4.3.2

4.3.3

4.3.4

4.3.5

4.3.6

4.3.7

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-53jx-vvf9-4x38/GHSA-53jx-vvf9-4x38.json"