Access to sensitive information available from classpath.
Patched version: 1.6.7 and 2.8.2
Commit 1.x: https://github.com/jooby-project/jooby/commit/34f526028e6cd0652125baa33936ffb6a8a4a009
Commit 2.x: https://github.com/jooby-project/jooby/commit/c81479de67036993f406ccdec23990b44b0bec32
Is there a way for users to fix or remediate the vulnerability without upgrading?
Latest 1.x version: 1.6.6
When sharing a File System directory as in:
assets("/static/**", Paths.get("static"));
The class path is also searched for the file (org.jooby.handlers.AssetHandler.loader
):
jooby/AssetHandler.java at 1.x · jooby-project/jooby · GitHub
private static Loader loader(final Path basedir, final ClassLoader classloader) {
if (Files.exists(basedir)) {
return name -> {
Path path = basedir.resolve(name).normalize();
if (Files.exists(path) && path.startsWith(basedir)) {
try {
return path.toUri().toURL();
} catch (MalformedURLException x) {
// shh
}
}
return classloader.getResource(name);
};
}
return classloader::getResource;
}
If we send /static/WEB-INF/web.xml
it will fail to load it from the file system but will go into classloader.getResource(name)
where name equals /WEB-INF/web.xml
so will succeed and return the requested file. This way we can get any configuration file or even the application class files
If assets are configured for a certain extension we can still bypass it. eg:
assets("/static/**/*.js", Paths.get("static"));
We can send:
http://localhost:8080/static/io/yiss/App.class.js
This vulnerability also affects assets configured to access resources from the root of the class path. eg:
assets("/static/**");
In this case we can traverse static
by sending:
http://localhost:8080/static/..%252fio/yiss/App.class
If you have any questions or comments about this advisory: * Open an issue in jooby * Email us at support@jooby.io
{ "nvd_published_at": null, "github_reviewed_at": "2020-05-12T20:27:09Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-22" ] }