Full Disclosure mailing list archives
CVE-2014-0053 Information Disclosure when using Grails
From: Pivotal Security Team <security () gopivotal com>
Date: Wed, 19 Feb 2014 02:14:01 -0800 (PST)
CVE-2014-0053 Information Disclosure in Grails applications Severity: Important Vendor: Grails by Pivotal Versions Affected: - Grails 2.0.0 to 2.3.5 Description: The Grails resources plug-in, a default dependency of Grails since 2.0.0, does not block access to resources located under /WEB-INF by default. This means that both configuration files and class files are publicly accessible when they should be private. Mitigation: Users of affected versions should apply one of the following mitigations: - Upgrade to Grails 2.3.6 and redeploy the application - Configure the resources plugin to block access to /WEB-INF - Prevent access to /WEB-INF in the reverse proxy (if one is used) Possible configuration options to block access to /WEB-INF include adding the following to grails-app/conf/Config.groovy: grails.resources.adhoc.includes = ['/images/**', '/css/**', '/js/**', '/plugins/**'] grails.resources.adhoc.excludes = ['/WEB-INF/**'] Credit: This issue was identified by @Ramsharan065 but was reported publicly to the Grails team via Twitter. Pivotal strongly encourages responsible reporting of security vulnerabilities via security () gopivotal com References: https://twitter.com/Ramsharan065/status/434975409134792704 https://github.com/grails/grails-core/commit/2d5d2a8b3e40111412051dbbeb32eae005fdcf35 http://www.gopivotal.com/security/cve-2014-0054 (may take up to 24 hours to go live) History: 2014-Feb-16: Issue made public 2014-Feb-19: Initial vulnerability report published
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- CVE-2014-0053 Information Disclosure when using Grails Pivotal Security Team (Feb 19)
- Update: CVE-2014-0053 Information Disclosure when using Grails Pivotal Security Team (Feb 27)