CVE-2018-17605: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

May 14, 2022 (updated November 22, 2022)

An issue was discovered in the Asset Pipeline plugin before 3.0.4 for Grails. An attacker can perform directory traversal via a crafted request when a servlet-based application is executed in Jetty, because there is a classloader vulnerability that can allow a reverse file traversal route in AssetPipelineFilter.groovy or AssetPipelineFilterCore.groovy.

References

github.com/advisories/GHSA-g7wm-22m6-5774
github.com/bertramdev/asset-pipeline/commit/a29533c52e4b60e244082433e116d2a038d01017
github.com/grails/grails-core/issues/11068
nvd.nist.gov/vuln/detail/CVE-2018-17605

Detect and mitigate CVE-2018-17605 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →