The default configuration of the Resources plugin 1.0.0 before 1.2.6 for Pivotal Grails 2.0.0 through 2.3.6 does not properly restrict access to files in the META-INF directory, which allows remote attackers to obtain sensitive information via a direct request. NOTE: this issue was SPLIT from CVE-2014-0053 due to different researchers per ADT5.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Grails-resources | Gopivotal | 1.0.0 (including) | 1.0.0 (including) |
| Grails-resources | Gopivotal | 1.0.2 (including) | 1.0.2 (including) |
| Grails-resources | Gopivotal | 1.1.0 (including) | 1.1.0 (including) |
| Grails-resources | Gopivotal | 1.1.1 (including) | 1.1.1 (including) |
| Grails-resources | Gopivotal | 1.1.2 (including) | 1.1.2 (including) |
| Grails-resources | Gopivotal | 1.1.4 (including) | 1.1.4 (including) |
| Grails-resources | Gopivotal | 1.1.5 (including) | 1.1.5 (including) |
| Grails-resources | Gopivotal | 1.1.6 (including) | 1.1.6 (including) |
| Grails-resources | Gopivotal | 1.2.0 (including) | 1.2.0 (including) |
| Grails-resources | Gopivotal | 1.2.1 (including) | 1.2.1 (including) |
| Grails-resources | Gopivotal | 1.2.2 (including) | 1.2.2 (including) |
| Grails-resources | Gopivotal | 1.2.3 (including) | 1.2.3 (including) |
| Grails-resources | Gopivotal | 1.2.4 (including) | 1.2.4 (including) |
| Grails-resources | Gopivotal | 1.2.5 (including) | 1.2.5 (including) |
References
- http://archives.neohapsis.com/archives/fulldisclosure/2014-02/0267.html
- http://www.gopivotal.com/security/cve-2014-0053
- http://www.securityfocus.com/archive/1/531281/100/0/threaded
- http://archives.neohapsis.com/archives/fulldisclosure/2014-02/0267.html
- http://www.gopivotal.com/security/cve-2014-0053
- http://www.securityfocus.com/archive/1/531281/100/0/threaded