Vulnerability Description
Asset Pipeline Grails Plugin Asset-pipeline plugin version Prior to 2.14.1.1, 2.15.1 and 3.0.6 contains a Incorrect Access Control vulnerability in Applications deployed in Jetty that can result in Download .class files and any arbitrary file. This attack appear to be exploitable via Specially crafted GET request containing directory traversal from assets-pipeline context. This vulnerability appears to have been fixed in 2.14.1.1 (for Grails 2.x), 2.15.1 (for Grails 3 and Java 7) and 3.0.6 (for Grails 3 and Java 8).
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Asset Pipeline Project | Asset-Pipeline | < 2.14.1.1 |
Related Weaknesses (CWE)
References
- http://grailsblog.objectcomputing.com/posts/2018/09/23/security-vulnerability-inExploitThird Party Advisory
- https://github.com/grails/grails-core/issues/11068Third Party Advisory
- http://grailsblog.objectcomputing.com/posts/2018/09/23/security-vulnerability-inExploitThird Party Advisory
- https://github.com/grails/grails-core/issues/11068Third Party Advisory
FAQ
What is CVE-2018-1000817?
CVE-2018-1000817 is a vulnerability with a CVSS score of 7.5 (HIGH). Asset Pipeline Grails Plugin Asset-pipeline plugin version Prior to 2.14.1.1, 2.15.1 and 3.0.6 contains a Incorrect Access Control vulnerability in Applications deployed in Jetty that can result in Do...
How severe is CVE-2018-1000817?
CVE-2018-1000817 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-1000817?
Check the references section above for vendor advisories and patch information. Affected products include: Asset Pipeline Project Asset-Pipeline.