title: Security Vulnerability in Asset-Pipeline and Jetty date: September 23, 2018 description: Security vulnerability in asset-pipeline and Jetty author: Iván López image: 2018-09-23.jpg

[%title]

[%author]

[%date]

Tags: #plugins

Introduction

Asset-pipeline has been the default plugin for handling static assets in a Grails® web application since Grails 2.4.0. A security vulnerability that involves asset-pipeline and Jetty has been identified.

Affected Versions

The vulnerability affects all asset-pipeline users that deploy Grails applications in Jetty, and it allows directory traversal and download any file knowing its specific directory.

Reproducing The Issue

• Create a new grails application: grails create-app foo
• In build.gradle change the spring-boot-starter-tomcat to spring-boot-starter-jetty
• Build a war file: grails war
• Deploy to Jetty
• Send the following request to download Application.class wget localhost:8080/foo-0.1/assets/..%5c%5cfoo%5cApplication.class -O Application.class
• It is also possible to download any any arbitrary file if the path is known. For example to download application.ymlexecute curl -v localhost:8080/foo-0.1/assets/..%5capplication.yml.

Fixing The Issue

The vulnerability has been addressed in recent versions of the asset-pipeline plugin:

• 2.14.1.1 for Grails 2.x
• 2.15.1 for Grails 3 and Java 7
• 3.0.6 for Grails 3 and Java 8