Detections
Analytics
Grails resources plug-in WEB-INF / META-INF File Disclosure
medium Nessus Plugin ID 72757
Language:
Synopsis
A Java web application framework in use on the remote web server is affected by an information disclosure vulnerability.Description
The remote web server uses a version of Grails, an open source web application framework for JVM, that is affected by an information disclosure vulnerability. Specifically, its 'resources' plug-in fails to restrict access to resources located under an application's 'WEB-INF' and 'META-INF' directories by default. A remote attacker could leverage this to retrieve the contents of class or configuration files, such as web.xml, which should be private, including in other web applications using directory traversal sequences.Solution
Upgrade the 'resources' plug-in to 1.2.6, configure it to block access to resources under 'WEB-INF' and 'META-INF', and redploy the affected applications.Alternatively, block access to the 'WEB-INF' and 'META-INF' directories in a reverse proxy.
See Also
https://twitter.com/Ramsharan065/status/434975409134792704
https://pivotal.io/security/cve-2014-0053
Plugin Details
Severity: Medium
ID: 72757
File Name: grails_resources_plugin_info_disclosure.nasl
Version: 1.15
Type: remote
Family: CGI abuses
Published: 3/1/2014
Updated: 4/11/2022
Configuration: Enable thorough checks
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Low
Score: 3.4
CVSS v2
Risk Factor: Medium
Base Score: 5
Temporal Score: 3.9
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS Score Source: CVE-2014-2858
Vulnerability Information
CPE: cpe:/a:springsource:grails
Excluded KB Items: Settings/disable_cgi_scanning
Exploit Available: true
Exploit Ease: Exploits are available
Exploited by Nessus: true
Vulnerability Publication Date: 2/16/2014