Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-24815: Fix the webroot escape to classpath on windows · vert-x3/vertx-web@9e3a783

Vert.x-Web is a set of building blocks for building web applications in the java programming language. When running vertx web applications that serve files using StaticHandler on Windows Operating Systems and Windows File Systems, if the mount point is a wildcard (*) then an attacker can exfiltrate any class path resource. When computing the relative path to locate the resource, in case of wildcards, the code: return "/" + rest; from Utils.java returns the user input (without validation) as the segment to lookup. Even though checks are performed to avoid escaping the sandbox, given that the input was not sanitized \ are not properly handled and an attacker can build a path that is valid within the classpath. This issue only affects users deploying in windows environments and upgrading is the advised remediation path. There are no known workarounds for this vulnerability.

CVE
#vulnerability#web#windows#red_hat#apache#redis#java#php#perl

@@ -0,0 +1,57 @@

/*

* Copyright 2014 Red Hat, Inc.

*

* All rights reserved. This program and the accompanying materials

* are made available under the terms of the Eclipse Public License v1.0

* and Apache License v2.0 which accompanies this distribution.

*

* The Eclipse Public License is available at

* http://www.eclipse.org/legal/epl-v10.html

*

* The Apache License v2.0 is available at

* http://www.opensource.org/licenses/apache2.0.php

*

* You may elect to redistribute this code under either of these licenses.

*/

package io.vertx.ext.web.handler;

import io.vertx.core.http.HttpMethod;

import io.vertx.ext.web.WebTestBase;

import org.junit.Test;

public class StaticHandlerWindowsTest extends WebTestBase {

@Test

public void testEscapeToClasspathFromWildcard() throws Exception {

router.clear();

router.route(“/*”).handler(StaticHandler.create(“www”));

// attempt to escape to classpath, given that the handler is mounted on a wildcard,

// reading the wildcard must return a sanitized path and therefore not allow to escape.

testRequest(HttpMethod.GET, "/…\\.htdigest", 404, “Not Found”);

}

@Test

public void testEscapeToClasspathFromNull() throws Exception {

router.clear();

router.route().handler(StaticHandler.create(“www”));

// attempt to escape to classpath, given that the handler is mounted on a catch all path

testRequest(HttpMethod.GET, "/…\\.htdigest", 404, “Not Found”);

}

@Test

public void testEscapeToClasspathFromRegEx() throws Exception {

router.clear();

router.routeWithRegex(“.*”).handler(StaticHandler.create(“www”));

// attempt to escape to classpath, given that the handler is mounted on a regex,

testRequest(HttpMethod.GET, "/…\\.htdigest", 404, “Not Found”);

}

@Test

public void testEscapeToClasspathFromFixedPath() throws Exception {

router.clear();

router.routeWithRegex(“/”).handler(StaticHandler.create(“www”));

// attempt to escape to classpath, given that the handler is mounted on a regex,

testRequest(HttpMethod.GET, "/…\\.htdigest", 404, “Not Found”);

}

}

Related news

Red Hat Security Advisory 2023-7669-03

Red Hat Security Advisory 2023-7669-03 - New Red Hat build of Cryostat 2.4.0 on RHEL 8 container images are now available.

Red Hat Security Advisory 2023-3740-01

Red Hat Security Advisory 2023-3740-01 - This release of Camel for Spring Boot 3.20.1.P1 serves as a replacement for Camel for Spring Boot 3.20.1 and includes bug fixes and enhancements, which are documented in the Release Notes linked in the References. The purpose of this text-only errata is to inform you about the security issues fixed. Issues addressed include a denial of service vulnerability.

RHSA-2023:3740: Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 3.20.1 Patch 1 release security update

Red Hat Integration Camel for Spring Boot 3.20.1 Patch 1 release and security update is now available. Red Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-20883: A flaw was found in Spring Boot, occurring prominently in Spring MVC with a reverse proxy cache. This issue requires Spring MVC to have auto-configuration enabled and the application to use Spring Boot's welcome page support, either static or templated, resulting in the application being deployed behind a proxy that cache...

GHSA-53jx-vvf9-4x38: StaticHandler disclosure of classpath resources on Windows when mounted on a wildcard route

### Summary When running vertx web applications that serve files using `StaticHandler` on Windows Operating Systems and Windows File Systems, if the mount point is a wildcard (`*`) then an attacker can exfiltrate any class path resource. ### Details When computing the relative path to locate the resource, in case of wildcards, the code: https://github.com/vert-x3/vertx-web/blob/62c0d66fa1c179ae6a4d57344631679a2b97e60f/vertx-web/src/main/java/io/vertx/ext/web/impl/Utils.java#L83 returns the user input (without validation) as the segment to lookup. Even though checks are performed to avoid escaping the sandbox, given that the input was not sanitized `\` are not properly handled and an attacker can build a path that is valid within the classpath. ### PoC https://github.com/adrien-aubert-drovio/vertx-statichandler-windows-traversal-path-vulnerability

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907