Advisories for Maven/Io.vertx/Vertx-Web package

2023

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Vert.x-Web is a set of building blocks for building web applications in the java programming language. When running vertx web applications that serve files using StaticHandler on Windows Operating Systems and Windows File Systems, if the mount point is a wildcard (*) then an attacker can exfiltrate any class path resource. When computing the relative path to locate the resource, in case of wildcards, the code: return "/" + rest; …

2022
2021

Cross-Site Request Forgery (CSRF)

Vert.x-Web framework does not perform a correct CSRF verification. Instead of comparing the CSRF token in the request with the CSRF token in the cookie, it compares the CSRF token in the cookie against a CSRF token that is stored in the session. An attacker does not even need to provide a CSRF token in the request because the framework does not consider it. The cookies are automatically sent by …

2018