Grails resources plug-in WEB-INF / META-INF File Disclosure

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

A Java web application framework in use on the remote web server is
affected by an information disclosure vulnerability.

Description :

The remote web server uses a version of Grails, an open source web
application framework for JVM, that is affected by an information
disclosure vulnerability. Specifically, its 'resources' plug-in fails
to restrict access to resources located under an application's
'WEB-INF' and 'META-INF' directories by default. A remote attacker
could leverage this to retrieve the contents of class or configuration
files, such as web.xml, which should be private, including in other
web applications using directory traversal sequences.

See also :

https://twitter.com/Ramsharan065/status/434975409134792704
http://www.gopivotal.com/security/cve-2014-0053
http://seclists.org/fulldisclosure/2014/Feb/194
http://seclists.org/fulldisclosure/2014/Feb/267

Solution :

Upgrade the 'resources' plug-in to 1.2.6, configure it to block access
to resources under 'WEB-INF' and 'META-INF', and redploy the affected
applications.

Alternatively, block access to the 'WEB-INF' and 'META-INF'
directories in a reverse proxy.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 4.3
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: CGI abuses

Nessus Plugin ID: 72757 ()

Bugtraq ID: 65678
67071
67073

CVE ID: CVE-2014-0053
CVE-2014-2857
CVE-2014-2858