CVE-2014-0053 Information Disclosure in Grails applications
Severity: Important
Vendor: Grails by Pivotal
Versions Affected:
- Grails 2.0.0 to 2.3.5
Description:
The Grails resources plug-in, a default dependency of Grails since
2.0.0, does not block access to resources located under /WEB-INF by
default. This means that both configuration files and class files
are publicly accessible when they should be private.
Mitigation:
Users of affected versions should apply one of the following
mitigations:
- Upgrade to Grails 2.3.6 and redeploy the application
- Configure the resources plugin to block access to /WEB-INF
- Prevent access to /WEB-INF in the reverse proxy (if one is used)
Possible configuration options to block access to /WEB-INF include
adding the following to grails-app/conf/Config.groovy:
grails.resources.adhoc.includes = ['/images/**', '/css/**', '/js/**', '/plugins/**']
grails.resources.adhoc.excludes = ['/WEB-INF/**']
Credit:
This issue was identified by @Ramsharan065 but was reported publicly
to the Grails team via Twitter. Pivotal strongly encourages responsible
reporting of security vulnerabilities via security@gopivotal.com
References:
https://twitter.com/Ramsharan065/status/434975409134792704
https://github.com/grails/grails-core/commit/2d5d2a8b3e40111412051dbbeb32eae005fdcf35
http://www.gopivotal.com/security/cve-2014-0054 (may take up to 24 hours to go live)
History:
2014-Feb-16: Issue made public
2014-Feb-19: Initial vulnerability report published
Severity: Important
Vendor: Grails by Pivotal
Versions Affected:
- Grails 2.0.0 to 2.3.5
Description:
The Grails resources plug-in, a default dependency of Grails since
2.0.0, does not block access to resources located under /WEB-INF by
default. This means that both configuration files and class files
are publicly accessible when they should be private.
Mitigation:
Users of affected versions should apply one of the following
mitigations:
- Upgrade to Grails 2.3.6 and redeploy the application
- Configure the resources plugin to block access to /WEB-INF
- Prevent access to /WEB-INF in the reverse proxy (if one is used)
Possible configuration options to block access to /WEB-INF include
adding the following to grails-app/conf/Config.groovy:
grails.resources.adhoc.includes = ['/images/**', '/css/**', '/js/**', '/plugins/**']
grails.resources.adhoc.excludes = ['/WEB-INF/**']
Credit:
This issue was identified by @Ramsharan065 but was reported publicly
to the Grails team via Twitter. Pivotal strongly encourages responsible
reporting of security vulnerabilities via security@gopivotal.com
References:
https://twitter.com/Ramsharan065/status/434975409134792704
https://github.com/grails/grails-core/commit/2d5d2a8b3e40111412051dbbeb32eae005fdcf35
http://www.gopivotal.com/security/cve-2014-0054 (may take up to 24 hours to go live)
History:
2014-Feb-16: Issue made public
2014-Feb-19: Initial vulnerability report published