Security vulnerability in asset-pipeline and Jetty

23 Sep 2018

Tags: Grails, Plugins, Security

Introduction

Asset-pipeline has been the default plugin for handling static assets in a Grails web application since Grails 2.4.0. A security vulnerability that involves asset-pipeline and Jetty has been identified.

Affected Versions

The vulnerability affects all asset-pipeline users that deploy Grails applications in Jetty and it allows directory traversal and download any file knowing its specific directory.

Reproducing The Issue

  • Create a new grails application: grails create-app foo
  • In build.gradle change the spring-boot-starter-tomcat to spring-boot-starter-jetty
  • Build a war file: grails war
  • Deploy to Jetty
  • Send the following request to download Application.class wget localhost:8080/foo-0.1/assets/..%5c%5cfoo%5cApplication.class -O Application.class
  • It is also possible to download any any arbitrary file if the path is known. For example to download application.yml execute curl -v localhost:8080/foo-0.1/assets/..%5capplication.yml.

Fixing The Issue

The vulnerability has been addressed in recent versions of the asset-pipeline plugin:

  • 2.14.1.1 for Grails 2.x
  • 2.15.1 for Grails 3 and Java 7
  • 3.0.6 for Grails 3 and Java 8

Published on 23 Sep 2018