CVE-2014-3626
CVSS V2 Medium 5
CVSS V3 High 7.5
Description
The Grails Resource Plugin often has to exchange URIs for resources with other internal components. Those other components will decode any URI passed to them. To protect against directory traversal the Grails Resource Plugin did the following: normalized the URI, checked the normalized URI did not step outside the appropriate root directory (e.g. the web application root), decoded the URI and checked that this did not introduce additional /../ (and similar) sequences. A bug was introduced where the Grails Resource Plugin before 1.2.13 returned the decoded version of the URI rather than the normalized version of the URI after the directory traversal check. This exposed a double decoding vulnerability. To address this issue, the Grails Resource Plugin now repeatedly decodes the URI up to three times or until decoding no longer changes the URI. If the decode limit of 3 is exceeded the URI is rejected. A side-effect of this is that the Grails Resource Plugin is unable to serve a resource that includes a '%' character in the full path to the resource. Not all environments are vulnerable because of the differences in URL resolving in different servlet containers. Applications deployed to Tomcat 8 and Jetty 9 were found not not be vulnerable, however applications deployed to JBoss EAP 6.3 / JBoss AS 7.4 and JBoss AS 7.1 were found to be vulnerable (other JBoss versions weren't tested). In certain cases JBoss returns JBoss specific vfs protocol urls from URL resolution methods (ClassLoader.getResources). The JBoss vfs URL protocol supports resolving any file on the filesystem. This made the directory traversal possible. There may be other containers, in addition to JBoss, on which this vulnerability is exposed.
Overview
- CVE ID
- CVE-2014-3626
- Assigner
- security_alert@emc.com
- Vulnerability Status
- Analyzed
- Published Version
- 2018-03-19T13:29:00
- Last Modified Date
- 2018-04-18T16:16:19
Weakness Enumerations
CPE Configuration (Product)
CPE | Vulnerable | Operator | Version Start | Version End |
---|---|---|---|---|
cpe:2.3:a:grails:resources:*:*:*:*:*:*:*:* | 1 | OR | 1.2.0 | 1.2.12 |
CVSS Version 2
- Version
- 2.0
- Vector String
- AV:N/AC:L/Au:N/C:P/I:N/A:N
- Access Vector
- NETWORK
- Access Compatibility
- LOW
- Authentication
- NONE
- Confidentiality Impact
- PARTIAL
- Integrity Impact
- NONE
- Availability Impact
- NONE
- Base Score
- 5
- Severity
- MEDIUM
- Exploitability Score
- 10
- Impact Score
- 2.9
CVSS Version 3
- Version
- 3.0
- Vector String
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Attack Vector
- NETWORK
- Attack Compatibility
- LOW
- Privileges Required
- NONE
- User Interaction
- NONE
- Scope
- UNCHANGED
- Confidentiality Impact
- HIGH
- Availability Impact
- NONE
- Base Score
- 7.5
- Base Severity
- HIGH
- Exploitability Score
- 3.9
- Impact Score
- 3.6
References
Reference URL | Reference Tags |
---|---|
https://pivotal.io/security/cve-2014-3626 | Third Party Advisory |
Sources
Source Name | Source URL |
---|---|
NIST | https://nvd.nist.gov/vuln/detail/CVE-2014-3626 |
MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3626 |
History
Created | Old Value | New Value | Data Type | Notes |
---|---|---|---|---|
2022-05-10 18:45:30 | Added to TrackCVE | |||
2022-12-03 03:35:32 | secure@dell.com | security_alert@emc.com | CVE Assigner | updated |
2022-12-03 03:35:32 | 2018-03-19T13:29Z | 2018-03-19T13:29:00 | CVE Published Date | updated |
2022-12-03 03:35:32 | 2018-04-18T16:16:19 | CVE Modified Date | updated | |
2022-12-03 03:35:32 | Analyzed | Vulnerability Status | updated |