CVE-2014-3626
https://notcve.org/view.php?id=CVE-2014-3626
The Grails Resource Plugin often has to exchange URIs for resources with other internal components. Those other components will decode any URI passed to them. To protect against directory traversal the Grails Resource Plugin did the following: normalized the URI, checked the normalized URI did not step outside the appropriate root directory (e.g. the web application root), decoded the URI and checked that this did not introduce additional /../ (and similar) sequences. A bug was introduced where the Grails Resource Plugin before 1.2.13 returned the decoded version of the URI rather than the normalized version of the URI after the directory traversal check. This exposed a double decoding vulnerability. • https://pivotal.io/security/cve-2014-3626 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2017-6344
https://notcve.org/view.php?id=CVE-2017-6344
XML External Entity (XXE) vulnerability in Grails PDF Plugin 0.6 allows remote attackers to read arbitrary files via a crafted XML document. Vulnerabilidad XEE en Grails PDF Plugin 0.6 permite a atacantes remotos leer archivos arbitrarios a través de un documento XML manipulado. • http://www.securityfocus.com/bid/96446 https://www.ambionics.io/blog/grails-pdf-plugin-xxe • CWE-611: Improper Restriction of XML External Entity Reference •