CVE-2018-12536: Information Exposure
(updated )
When an intentionally bad query arrives that does not match a dynamic url-pattern, and is eventually handled by the DefaultServlet
static file serving, the bad characters can trigger a java.nio.file.InvalidPathException
which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException
is then handled by the default Error Handler, the InvalidPathException
message is included in the error response, revealing the full server path to the requesting system.
References
Detect and mitigate CVE-2018-12536 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →