FKIE_CVE-2014-3626

Vulnerability from fkie_nvd - Published: 2018-03-19 13:29 - Updated: 2024-11-21 02:08
Severity ?
7.5 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
The Grails Resource Plugin often has to exchange URIs for resources with other internal components. Those other components will decode any URI passed to them. To protect against directory traversal the Grails Resource Plugin did the following: normalized the URI, checked the normalized URI did not step outside the appropriate root directory (e.g. the web application root), decoded the URI and checked that this did not introduce additional /../ (and similar) sequences. A bug was introduced where the Grails Resource Plugin before 1.2.13 returned the decoded version of the URI rather than the normalized version of the URI after the directory traversal check. This exposed a double decoding vulnerability. To address this issue, the Grails Resource Plugin now repeatedly decodes the URI up to three times or until decoding no longer changes the URI. If the decode limit of 3 is exceeded the URI is rejected. A side-effect of this is that the Grails Resource Plugin is unable to serve a resource that includes a '%' character in the full path to the resource. Not all environments are vulnerable because of the differences in URL resolving in different servlet containers. Applications deployed to Tomcat 8 and Jetty 9 were found not not be vulnerable, however applications deployed to JBoss EAP 6.3 / JBoss AS 7.4 and JBoss AS 7.1 were found to be vulnerable (other JBoss versions weren't tested). In certain cases JBoss returns JBoss specific vfs protocol urls from URL resolution methods (ClassLoader.getResources). The JBoss vfs URL protocol supports resolving any file on the filesystem. This made the directory traversal possible. There may be other containers, in addition to JBoss, on which this vulnerability is exposed.
References
security_alert@emc.comhttps://pivotal.io/security/cve-2014-3626Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://pivotal.io/security/cve-2014-3626Third Party Advisory
Impacted products
Vendor Product Version
grails resources *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:grails:resources:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "43D248EA-B06E-4D5E-B09F-8F1B9B7B3F20",
              "versionEndIncluding": "1.2.12",
              "versionStartIncluding": "1.2.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The Grails Resource Plugin often has to exchange URIs for resources with other internal components. Those other components will decode any URI passed to them. To protect against directory traversal the Grails Resource Plugin did the following: normalized the URI, checked the normalized URI did not step outside the appropriate root directory (e.g. the web application root), decoded the URI and checked that this did not introduce additional /../ (and similar) sequences. A bug was introduced where the Grails Resource Plugin before 1.2.13 returned the decoded version of the URI rather than the normalized version of the URI after the directory traversal check. This exposed a double decoding vulnerability. To address this issue, the Grails Resource Plugin now repeatedly decodes the URI up to three times or until decoding no longer changes the URI. If the decode limit of 3 is exceeded the URI is rejected. A side-effect of this is that the Grails Resource Plugin is unable to serve a resource that includes a \u0027%\u0027 character in the full path to the resource. Not all environments are vulnerable because of the differences in URL resolving in different servlet containers. Applications deployed to Tomcat 8 and Jetty 9 were found not not be vulnerable, however applications deployed to JBoss EAP 6.3 / JBoss AS 7.4 and JBoss AS 7.1 were found to be vulnerable (other JBoss versions weren\u0027t tested). In certain cases JBoss returns JBoss specific vfs protocol urls from URL resolution methods (ClassLoader.getResources). The JBoss vfs URL protocol supports resolving any file on the filesystem. This made the directory traversal possible. There may be other containers, in addition to JBoss, on which this vulnerability is exposed."
    },
    {
      "lang": "es",
      "value": "El plugin Grails Resource suele tener que intercambiar URI por recursos con otros componentes internos. Estos otros componentes descodificar\u00e1n cualquier URI que se les pase. Para proteger contra salto de directorio, el plugin Grails Resource hizo lo siguiente: normaliz\u00f3 el URI, comprob\u00f3 que este URI no saltaba fuera del directorio root apropiado (por ejemplo, el root de la aplicaci\u00f3n web), descodific\u00f3 el URI y comprob\u00f3 que este no introduc\u00eda secuencias /../ adicionales (y similares). Se introdujo un bug por el cual el plugin Grails Resource, en versiones anteriores a la 1.2.13, devolv\u00eda la versi\u00f3n descodificada del URI en lugar de su versi\u00f3n normalizada tras la comprobaci\u00f3n de salto de directorio. Esto expuso una vulnerabilidad de doble descodificaci\u00f3n. Para abordar este problema, el plugin Grails Resource Plugin ahora descodifica el URI hasta tres veces o hasta que la descodificaci\u00f3n no cambie m\u00e1s el URI. Si el l\u00edmite de descodificaciones de 3 se supera, el URI se rechaza. Un efecto secundario de esto es que el plugin Grails Resource no puede servir un recurso que incluye un car\u00e1cter \"%\" en la ruta completa al recurso. No todos los entornos son vulnerables debido a las diferencias en la resoluci\u00f3n de URI en diferentes contenedores de servlet. Las aplicaciones desplegadas en Tomcat 8 y Jetty 9 no son vulnerables; sin embargo, las aplicaciones desplegadas en JBoss EAP 6.3 / JBoss AS 7.4 y JBoss AS 7.1 s\u00ed lo son (no se han probado otras versiones de JBoss). En ciertos casos, JBoss devuelve URL de protocolo vfs espec\u00edficas de JBoss de m\u00e9todos de resoluci\u00f3n de URL (ClassLoader.getResources). El protocolo vfs de JBoss soporta la resoluci\u00f3n de cualquier archivo del sistema de archivos. Esto hizo que el salto de directorio fuese posible. Podr\u00edan haber otros contenedores, aparte de JBoss, en los que esta vulnerabilidad est\u00e1 expuesta."
    }
  ],
  "id": "CVE-2014-3626",
  "lastModified": "2024-11-21T02:08:31.960",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": true,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-03-19T13:29:00.217",
  "references": [
    {
      "source": "security_alert@emc.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://pivotal.io/security/cve-2014-3626"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://pivotal.io/security/cve-2014-3626"
    }
  ],
  "sourceIdentifier": "security_alert@emc.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.