CVE-2023-24815 – Disclosure of classpath resources on Windows when mounted on a wildcard route in vertx-web
https://notcve.org/view.php?id=CVE-2023-24815
Vert.x-Web is a set of building blocks for building web applications in the java programming language. When running vertx web applications that serve files using `StaticHandler` on Windows Operating Systems and Windows File Systems, if the mount point is a wildcard (`*`) then an attacker can exfiltrate any class path resource. When computing the relative path to locate the resource, in case of wildcards, the code: `return "/" + rest;` from `Utils.java` returns the user input (without validation) as the segment to lookup. Even though checks are performed to avoid escaping the sandbox, given that the input was not sanitized `\` are not properly handled and an attacker can build a path that is valid within the classpath. This issue only affects users deploying in windows environments and upgrading is the advised remediation path. • https://github.com/vert-x3/vertx-web/blob/62c0d66fa1c179ae6a4d57344631679a2b97e60f/vertx-web/src/main/java/io/vertx/ext/web/impl/Utils.java#L83 https://github.com/vert-x3/vertx-web/commit/9e3a783b1d1a731055e9049078b1b1494ece9c15 https://github.com/vert-x3/vertx-web/security/advisories/GHSA-53jx-vvf9-4x38 https://access.redhat.com/security/cve/CVE-2023-24815 https://bugzilla.redhat.com/show_bug.cgi?id=2209400 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2020-35217
https://notcve.org/view.php?id=CVE-2020-35217
Vert.x-Web framework v4.0 milestone 1-4 does not perform a correct CSRF verification. Instead of comparing the CSRF token in the request with the CSRF token in the cookie, it compares the CSRF token in the cookie against a CSRF token that is stored in the session. An attacker does not even need to provide a CSRF token in the request because the framework does not consider it. The cookies are automatically sent by the browser and the verification will always succeed, leading to a successful CSRF attack. El framework Vert.x-Web versión v4.0 milestone 1-4, no lleva a cabo una comprobación de CSRF correcta. • https://github.com/vert-x3/vertx-web/pull/1613 • CWE-352: Cross-Site Request Forgery (CSRF) •