5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-7647

GHSA ID

GHSA-px9h-x66r-8mpc

EPSS Score

0.49757%

CWE

CWE-22

Published

5/13/2020

Updated

1/9/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-7647

CVE-2020-7647: path traversal in Jooby

Impact

Access to sensitive information available from classpath.

Patches

Patched version: 1.6.7 and 2.8.2

Commit 1.x: https://github.com/jooby-project/jooby/commit/34f526028e6cd0652125baa33936ffb6a8a4a009

Commit 2.x: https://github.com/jooby-project/jooby/commit/c81479de67036993f406ccdec23990b44b0bec32

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

References

Latest 1.x version: 1.6.6

Arbitrary class path resource access 1

When sharing a File System directory as in:

assets("/static/**", Paths.get("static"));

The class path is also searched for the file (org.jooby.handlers.AssetHandler.loader): jooby/AssetHandler.java at 1.x · jooby-project/jooby · GitHub

  private static Loader loader(final Path basedir, final ClassLoader classloader) {
    if (Files.exists(basedir)) {
      return name -> {
        Path path = basedir.resolve(name).normalize();
        if (Files.exists(path) && path.startsWith(basedir)) {
          try {
            return path.toUri().toURL();
          } catch (MalformedURLException x) {
            // shh
          }
        }
        return classloader.getResource(name);
      };
    }
    return classloader::getResource;
  }

If we send /static/WEB-INF/web.xml it will fail to load it from the file system but will go into classloader.getResource(name) where name equals /WEB-INF/web.xml so will succeed and return the requested file. This way we can get any configuration file or even the application class files

If assets are configured for a certain extension we can still bypass it. eg:

assets("/static/**/*.js", Paths.get("static"));

We can send:

http://localhost:8080/static/io/yiss/App.class.js

Arbitrary class path resource access 2

This vulnerability also affects assets configured to access resources from the root of the class path. eg:

assets("/static/**");

In this case we can traverse static by sending:

http://localhost:8080/static/..%252fio/yiss/App.class

For more information

If you have any questions or comments about this advisory:

Open an issue in jooby
Email us at support@jooby.io

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-7647

GHSA ID

GHSA-px9h-x66r-8mpc

EPSS Score

0.49757%

CWE

CWE-22

Published

5/13/2020

Updated

1/9/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
io.jooby:jooby	maven	< 2.8.2	2.8.2
org.jooby:jooby	maven	< 2.8.2	2.8.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key issues: 1) The loader function's fallback to classloader.getResource() without path validation allowed accessing arbitrary classpath resources when files weren't found in the filesystem directory. 2) Missing prefix validation in asset configuration patterns enabled path traversal via URL encoding (e.g., %252f for ../). The patches added classpath prefix checks in classpathLoader and enforced security restrictions in setRoute(), confirming these were the vulnerable areas.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t ****ss to s*nsitiv* in*orm*tion *v*il**l* *rom *l*ssp*t*. ### P*t***s P*t**** v*rsion: *.*.* *n* *.*.* *ommit *.x: *ttps://*it*u*.*om/joo*y-proj**t/joo*y/*ommit/**************************************** *ommit *.x: *ttps://*it*u*.*om/jo

Reasoning

T** vuln*r**ility st*ms *rom two k*y issu*s: *) T** lo***r `*un*tion`'s **ll***k to `*l*sslo***r.**tR*sour**()` wit*out p*t* v*li**tion *llow** ****ssin* *r*itr*ry *l*ssp*t* r*sour**s w**n *il*s w*r*n't *oun* in t** `*il*syst*m` *ir**tory. *) Missin*

5.3

Basic Information

Concerned about an active attack path?

CVE-2020-7647: path traversal in Jooby

Impact

Patches

Workarounds

References

Arbitrary class path resource access 1

Arbitrary class path resource access 2

For more information

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI