GHSA-53jx-vvf9-4x38
Suggest an improvement- Source
- https://github.com/advisories/GHSA-53jx-vvf9-4x38
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-53jx-vvf9-4x38/GHSA-53jx-vvf9-4x38.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-53jx-vvf9-4x38
- Aliases
- Published
- 2023-02-10T03:27:58Z
- Modified
- 2023-11-08T04:11:48.822029Z
- Severity
-
- 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- StaticHandler disclosure of classpath resources on Windows when mounted on a wildcard route
- Details
-
Summary
When running vertx web applications that serve files using
StaticHandleron Windows Operating Systems and Windows File Systems, if the mount point is a wildcard (*) then an attacker can exfiltrate any class path resource.Details
When computing the relative path to locate the resource, in case of wildcards, the code:
https://github.com/vert-x3/vertx-web/blob/62c0d66fa1c179ae6a4d57344631679a2b97e60f/vertx-web/src/main/java/io/vertx/ext/web/impl/Utils.java#L83
returns the user input (without validation) as the segment to lookup. Even though checks are performed to avoid escaping the sandbox, given that the input was not sanitized
\are not properly handled and an attacker can build a path that is valid within the classpath.PoC
https://github.com/adrien-aubert-drovio/vertx-statichandler-windows-traversal-path-vulnerability
- Database specific
{ "nvd_published_at": "2023-02-09T18:15:00Z", "github_reviewed_at": "2023-02-10T03:27:58Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-22" ] }- References
-
- https://github.com/vert-x3/vertx-web/security/advisories/GHSA-53jx-vvf9-4x38
- https://nvd.nist.gov/vuln/detail/CVE-2023-24815
- https://github.com/vert-x3/vertx-web/commit/9e3a783b1d1a731055e9049078b1b1494ece9c15
- https://github.com/vert-x3/vertx-web
- https://github.com/vert-x3/vertx-web/blob/62c0d66fa1c179ae6a4d57344631679a2b97e60f/vertx-web/src/main/java/io/vertx/ext/web/impl/Utils.java#L83
Affected packages
Maven / io.vertx:vertx-web
Package
- Name
- io.vertx:vertx-web
- View open source insights on deps.dev
- Purl
- pkg:maven/io.vertx/vertx-web