GHSA-px9h-x66r-8mpc

Suggest an improvement
Source
https://github.com/advisories/GHSA-px9h-x66r-8mpc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-px9h-x66r-8mpc/GHSA-px9h-x66r-8mpc.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-px9h-x66r-8mpc
Aliases
  • CVE-2020-7647
  • SNYK-JAVA-IOJOOBY-568806,
  • SNYK-JAVA-ORGJOOBY-568807,
Published
2020-05-13T16:29:26Z
Modified
2023-11-08T04:04:02.572758Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
path traversal in Jooby
Details

Impact

Access to sensitive information available from classpath.

Patches

Patched version: 1.6.7 and 2.8.2

Commit 1.x: https://github.com/jooby-project/jooby/commit/34f526028e6cd0652125baa33936ffb6a8a4a009

Commit 2.x: https://github.com/jooby-project/jooby/commit/c81479de67036993f406ccdec23990b44b0bec32

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

References

Latest 1.x version: 1.6.6

Arbitrary class path resource access 1

When sharing a File System directory as in:

assets("/static/**", Paths.get("static"));

The class path is also searched for the file (org.jooby.handlers.AssetHandler.loader): jooby/AssetHandler.java at 1.x · jooby-project/jooby · GitHub

  private static Loader loader(final Path basedir, final ClassLoader classloader) {
    if (Files.exists(basedir)) {
      return name -> {
        Path path = basedir.resolve(name).normalize();
        if (Files.exists(path) && path.startsWith(basedir)) {
          try {
            return path.toUri().toURL();
          } catch (MalformedURLException x) {
            // shh
          }
        }
        return classloader.getResource(name);
      };
    }
    return classloader::getResource;
  }

If we send /static/WEB-INF/web.xml it will fail to load it from the file system but will go into classloader.getResource(name) where name equals /WEB-INF/web.xml so will succeed and return the requested file. This way we can get any configuration file or even the application class files

If assets are configured for a certain extension we can still bypass it. eg:

assets("/static/**/*.js", Paths.get("static"));

We can send:

http://localhost:8080/static/io/yiss/App.class.js

Arbitrary class path resource access 2

This vulnerability also affects assets configured to access resources from the root of the class path. eg:

assets("/static/**");

In this case we can traverse static by sending:

http://localhost:8080/static/..%252fio/yiss/App.class

For more information

If you have any questions or comments about this advisory: * Open an issue in jooby * Email us at support@jooby.io

Database specific
{
    "nvd_published_at": null,
    "github_reviewed_at": "2020-05-12T20:27:09Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-22"
    ]
}
References

Affected packages

Maven / io.jooby:jooby

Package

Name
io.jooby:jooby
View open source insights on deps.dev
Purl
pkg:maven/io.jooby/jooby

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.8.2

Affected versions

2.*

2.0.0.M1
2.0.0.M2
2.0.0.M3
2.0.0.RC1
2.0.0.RC2
2.0.0.RC3
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.1.0
2.2.0
2.2.1
2.3.0
2.3.1
2.4.0
2.5.0
2.5.1
2.6.0
2.6.1
2.6.2
2.7.0
2.7.1
2.7.2
2.7.3
2.8.0
2.8.1

Maven / org.jooby:jooby

Package

Name
org.jooby:jooby
View open source insights on deps.dev
Purl
pkg:maven/org.jooby/jooby

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.8.2

Affected versions

0.*

0.1.0
0.2.0
0.2.1
0.3.0
0.4.0
0.4.1
0.4.2
0.4.2.1
0.5.0
0.5.1
0.5.2
0.5.3
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.7.0
0.8.0
0.8.1
0.8.2
0.9.0
0.9.1
0.9.2
0.10.0
0.11.0
0.11.1
0.11.2
0.12.0
0.13.0
0.13.1
0.14.0
0.15.0
0.15.1
0.16.0

1.*

1.0.0.CR1
1.0.0.CR2
1.0.0.CR3
1.0.0.CR4
1.0.0.CR5
1.0.0.CR6
1.0.0.CR7
1.0.0.CR8
1.0.0
1.0.1
1.0.2
1.0.3
1.1.0
1.1.1
1.1.2
1.1.3
1.2.0
1.2.1
1.2.2
1.2.3
1.3.0
1.4.0
1.4.1
1.5.0
1.5.1
1.6.0
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7
1.6.8
1.6.9