Description

In Eclipse Vert.x 3.4.x up to 3.9.4, 4.0.0.milestone1, 4.0.0.milestone2, 4.0.0.milestone3, 4.0.0.milestone4, 4.0.0.milestone5, 4.0.0.Beta1, 4.0.0.Beta2, and 4.0.0.Beta3, StaticHandler doesn't correctly processes back slashes on Windows Operating systems, allowing, escape the webroot folder to the current working directory.

Remediation

References

https://bugs.eclipse.org/bugs/show_bug.cgi?id=567416

https://lists.apache.org/thread.html/r591f6932560c8c46cee87415afed92924a982189fea7f7c9096f8e33%40%3Ccommits.pulsar.apache.org%3E

https://lists.apache.org/thread.html/r8383b5e7344a8b872e430ad72241b84b83e9701d275c602cfe34a941%40%3Ccommits.servicecomb.apache.org%3E

https://lists.apache.org/thread.html/r8d863b148efe778ce5f8f961d0cafeda399e681d3f0656233b4c5511%40%3Ccommits.pulsar.apache.org%3E

https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E

https://lists.apache.org/thread.html/rfd0ebf8387cfd0b959d1e218797e709793cce51a5ea2f84d0976f47d%40%3Ccommits.pulsar.apache.org%3E

Related Vulnerabilities

CVE-2017-8452 Vulnerability in npm package kibana

CVE-2019-10432 Vulnerability in maven package org.jenkins-ci.plugins:htmlpublisher

CVE-2023-2512 Vulnerability in npm package workerd

CVE-2023-40341 Vulnerability in maven package io.jenkins.blueocean:blueocean

CVE-2022-45146 Vulnerability in maven package org.bouncycastle:bc-fips

Severity

Critical

Classification

CWE-22 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory