Asset Pipeline plugin for Grails vulnerable to Path Traversal
High severity
GitHub Reviewed
Published
May 14, 2022
to the GitHub Advisory Database
•
Updated Feb 2, 2023
Description
Published by the National Vulnerability Database
Sep 28, 2018
Published to the GitHub Advisory Database
May 14, 2022
Reviewed
Nov 22, 2022
Last updated
Feb 2, 2023
An issue was discovered in the Asset Pipeline plugin before 3.0.4 for Grails. An attacker can perform directory traversal via a crafted request when a servlet-based application is executed in Jetty, because there is a classloader vulnerability that can allow a reverse file traversal route in AssetPipelineFilter.groovy or AssetPipelineFilterCore.groovy.
References