Miggo Logo

CVE-2018-13864: Play Framework's Assets controller vulnerable to directory traversal

7.5

CVSS Score
3.0

Basic Information

EPSS Score
0.79185%
Published
5/13/2022
Updated
2/2/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.typesafe.play:play_2.12maven>= 2.6.12, < 2.6.162.6.16

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper path normalization in Assets controller. The key changes in Assets.scala show:

  1. normalizePathSegments was modified to split paths using multiple separators (/, , and platform-specific)
  2. Added tests in AssetsSpec.scala demonstrate resourceNameAt's previous vulnerability to traversal via Windows-style paths
  3. The patch introduces validation for multiple separator types, indicating the previous implementation only handled Unix-style paths properly These functions would appear in stack traces when processing asset requests containing traversal sequences, particularly with Windows path characteristics.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *ir**tory tr*v*rs*l vuln*r**ility **s ***n *oun* in t** *ss*ts *ontroll*r in Pl*y *r*m*work *.*.** t*rou** *.*.** (*ix** in *.*.**) w**n runnin* on Win*ows. It *llows * r*mot* *tt**k*r to *ownlo** *r*itr*ry *il*s *rom t** t*r**t s*rv*r vi* sp**i*ll

Reasoning

T** vuln*r**ility st*ms *rom improp*r p*t* norm*liz*tion in *ss*ts *ontroll*r. T** k*y ***n**s in *ss*ts.s**l* s*ow: *. norm*liz*P*t*S**m*nts w*s mo*i*i** to split p*t*s usin* multipl* s*p*r*tors (/, \, *n* pl*t*orm-sp**i*i*) *. ***** t*sts in *ss*ts