CVE-2018-13864: Play Framework's Assets controller vulnerable to directory traversal
7.5
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.79185%
CWE
Published
5/13/2022
Updated
2/2/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
com.typesafe.play:play_2.12 | maven | >= 2.6.12, < 2.6.16 | 2.6.16 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper path normalization in Assets controller. The key changes in Assets.scala show:
- normalizePathSegments was modified to split paths using multiple separators (/, , and platform-specific)
- Added tests in AssetsSpec.scala demonstrate resourceNameAt's previous vulnerability to traversal via Windows-style paths
- The patch introduces validation for multiple separator types, indicating the previous implementation only handled Unix-style paths properly These functions would appear in stack traces when processing asset requests containing traversal sequences, particularly with Windows path characteristics.