Headline
GHSA-53jx-vvf9-4x38: StaticHandler disclosure of classpath resources on Windows when mounted on a wildcard route
Summary
When running vertx web applications that serve files using StaticHandler
on Windows Operating Systems and Windows File Systems, if the mount point is a wildcard (*
) then an attacker can exfiltrate any class path resource.
Details
When computing the relative path to locate the resource, in case of wildcards, the code:
https://github.com/vert-x3/vertx-web/blob/62c0d66fa1c179ae6a4d57344631679a2b97e60f/vertx-web/src/main/java/io/vertx/ext/web/impl/Utils.java#L83
returns the user input (without validation) as the segment to lookup. Even though checks are performed to avoid escaping the sandbox, given that the input was not sanitized \
are not properly handled and an attacker can build a path that is valid within the classpath.
PoC
https://github.com/adrien-aubert-drovio/vertx-statichandler-windows-traversal-path-vulnerability
Package
maven io.vertx:vertx-web (Maven)
Affected versions
>= 4.0.0, < 4.3.8
Patched versions
4.3.8
Description
Summary
When running vertx web applications that serve files using StaticHandler on Windows Operating Systems and Windows File Systems, if the mount point is a wildcard (*) then an attacker can exfiltrate any class path resource.
Details
When computing the relative path to locate the resource, in case of wildcards, the code:
https://github.com/vert-x3/vertx-web/blob/62c0d66fa1c179ae6a4d57344631679a2b97e60f/vertx-web/src/main/java/io/vertx/ext/web/impl/Utils.java#L83
returns the user input (without validation) as the segment to lookup. Even though checks are performed to avoid escaping the sandbox, given that the input was not sanitized \ are not properly handled and an attacker can build a path that is valid within the classpath.
PoC
https://github.com/adrien-aubert-drovio/vertx-statichandler-windows-traversal-path-vulnerability
References
- GHSA-53jx-vvf9-4x38
- https://nvd.nist.gov/vuln/detail/CVE-2023-24815
- vert-x3/vertx-web@9e3a783
- https://github.com/vert-x3/vertx-web/blob/62c0d66fa1c179ae6a4d57344631679a2b97e60f/vertx-web/src/main/java/io/vertx/ext/web/impl/Utils.java#L83
Last updated
Feb 10, 2023
Reviewed
Feb 10, 2023
Published to the GitHub Advisory Database
Feb 10, 2023
Published by the National Vulnerability Database
Feb 9, 2023
vietj published to vert-x3/vertx-web
Feb 9, 2023
Related news
Red Hat Security Advisory 2023-7669-03 - New Red Hat build of Cryostat 2.4.0 on RHEL 8 container images are now available.
Red Hat Security Advisory 2023-3740-01 - This release of Camel for Spring Boot 3.20.1.P1 serves as a replacement for Camel for Spring Boot 3.20.1 and includes bug fixes and enhancements, which are documented in the Release Notes linked in the References. The purpose of this text-only errata is to inform you about the security issues fixed. Issues addressed include a denial of service vulnerability.
Red Hat Integration Camel for Spring Boot 3.20.1 Patch 1 release and security update is now available. Red Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-20883: A flaw was found in Spring Boot, occurring prominently in Spring MVC with a reverse proxy cache. This issue requires Spring MVC to have auto-configuration enabled and the application to use Spring Boot's welcome page support, either static or templated, resulting in the application being deployed behind a proxy that cache...
Vert.x-Web is a set of building blocks for building web applications in the java programming language. When running vertx web applications that serve files using `StaticHandler` on Windows Operating Systems and Windows File Systems, if the mount point is a wildcard (`*`) then an attacker can exfiltrate any class path resource. When computing the relative path to locate the resource, in case of wildcards, the code: `return "/" + rest;` from `Utils.java` returns the user input (without validation) as the segment to lookup. Even though checks are performed to avoid escaping the sandbox, given that the input was not sanitized `\` are not properly handled and an attacker can build a path that is valid within the classpath. This issue only affects users deploying in windows environments and upgrading is the advised remediation path. There are no known workarounds for this vulnerability.