7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-1000817

GHSA ID

GHSA-w73q-mc9g-j56x

EPSS Score

0.61763%

CWE

CWE-22

Published

5/13/2022

Updated

2/2/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-1000817

CVE-2018-1000817:
Asset Pipeline Grails Plugin vulnerable to Path Traversal

Asset Pipeline Grails Plugin Asset-pipeline plugin version Prior to 2.14.1.1, 2.15.1 and 3.0.6 contains a Incorrect Access Control vulnerability in Applications deployed in Jetty that can result in Download .class files and any arbitrary file. This attack appear to be exploitable via Specially crafted GET request containing directory traversal from assets-pipeline context. This vulnerability appears to have been fixed in 2.14.1.1 (for Grails 2.x), 2.15.1 (for Grails 3 and Java 7) and 3.0.6 (for Grails 3 and Java 8).

(GitHub Advisory)

7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-1000817

GHSA ID

GHSA-w73q-mc9g-j56x

EPSS Score

0.61763%

CWE

CWE-22

Published

5/13/2022

Updated

2/2/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.grails.plugins:asset-pipeline	maven	< 2.14.1	2.14.1
org.grails.plugins:asset-pipeline	maven	= 2.15.0	2.15.1
org.grails.plugins:asset-pipeline	maven	>= 3.0.0, < 3.0.6	3.0.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper path validation when handling asset requests. While no patch code is provided, the description explicitly states that specially crafted GET requests with directory traversal sequences in the asset-pipeline context lead to arbitrary file exposure. In Grails asset-pipeline architecture, the Filter->Service->ResourceLocator chain is responsible for processing asset requests. The confidence is medium because we're inferring based on vulnerability patterns rather than explicit patch analysis. These functions represent the most probable locations where path traversal checks would be missing in vulnerable versions, given their role in request handling and resource resolution.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ss*t Pip*lin* *r*ils Plu*in *ss*t-pip*lin* plu*in v*rsion Prior to *.**.*.*, *.**.* *n* *.*.* *ont*ins * In*orr**t ****ss *ontrol vuln*r**ility in *ppli**tions **ploy** in J*tty t**t **n r*sult in *ownlo** .*l*ss *il*s *n* *ny *r*itr*ry *il*. T*is *

Reasoning

T** vuln*r**ility st*ms *rom improp*r p*t* v*li**tion w**n **n*lin* *ss*t r*qu*sts. W*il* no p*t** *o** is provi***, t** **s*ription *xpli*itly st*t*s t**t sp**i*lly *r**t** **T r*qu*sts wit* *ir**tory tr*v*rs*l s*qu*n**s in t** *ss*t-pip*lin* *ont*x

7.5

Basic Information

Concerned about an active attack path?

CVE-2018-1000817: Asset Pipeline Grails Plugin vulnerable to Path Traversal

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2018-1000817:
Asset Pipeline Grails Plugin vulnerable to Path Traversal

Vulnerability Intelligence
Miggo AI