Skip to content

path traversal in Jooby

Moderate severity GitHub Reviewed Published May 11, 2020 in jooby-project/jooby • Updated Jan 9, 2023

Package

maven io.jooby:jooby (Maven)

Affected versions

< 2.8.2

Patched versions

2.8.2
maven org.jooby:jooby (Maven)
< 2.8.2
2.8.2

Description

Impact

Access to sensitive information available from classpath.

Patches

Patched version: 1.6.7 and 2.8.2

Commit 1.x: jooby-project/jooby@34f5260

Commit 2.x: jooby-project/jooby@c81479d

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

References

Latest 1.x version: 1.6.6

Arbitrary class path resource access 1

When sharing a File System directory as in:

assets("/static/**", Paths.get("static"));

The class path is also searched for the file (org.jooby.handlers.AssetHandler.loader):
jooby/AssetHandler.java at 1.x · jooby-project/jooby · GitHub

  private static Loader loader(final Path basedir, final ClassLoader classloader) {
    if (Files.exists(basedir)) {
      return name -> {
        Path path = basedir.resolve(name).normalize();
        if (Files.exists(path) && path.startsWith(basedir)) {
          try {
            return path.toUri().toURL();
          } catch (MalformedURLException x) {
            // shh
          }
        }
        return classloader.getResource(name);
      };
    }
    return classloader::getResource;
  }

If we send /static/WEB-INF/web.xml it will fail to load it from the file system but will go into classloader.getResource(name) where name equals /WEB-INF/web.xml so will succeed and return the requested file. This way we can get any configuration file or even the application class files

If assets are configured for a certain extension we can still bypass it. eg:

assets("/static/**/*.js", Paths.get("static"));

We can send:

http://localhost:8080/static/io/yiss/App.class.js

Arbitrary class path resource access 2

This vulnerability also affects assets configured to access resources from the root of the class path. eg:

assets("/static/**");

In this case we can traverse static by sending:

http://localhost:8080/static/..%252fio/yiss/App.class

For more information

If you have any questions or comments about this advisory:

References

@jknack jknack published to jooby-project/jooby May 11, 2020
Reviewed May 12, 2020
Published to the GitHub Advisory Database May 13, 2020
Last updated Jan 9, 2023

Severity

Moderate
5.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Weaknesses

CVE ID

CVE-2020-7647

GHSA ID

GHSA-px9h-x66r-8mpc

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.