SCA: security update for io.vertx:vertx-web (GHSA-53jx-vvf9-4x38)

medium Tenable Cloud Security Plugin ID 410532

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Vert.x-Web is a set of building blocks for building web applications in the java programming language.
When running vertx web applications that serve files using `StaticHandler` on Windows Operating Systems
and Windows File Systems, if the mount point is a wildcard (`*`) then an attacker can exfiltrate any class
path resource. When computing the relative path to locate the resource, in case of wildcards, the code:
`return "/" + rest;` from `Utils.java` returns the user input (without validation) as the segment to
lookup. Even though checks are performed to avoid escaping the sandbox, given that the input was not
sanitized `\` are not properly handled and an attacker can build a path that is valid within the
classpath. This issue only affects users deploying in windows environments and upgrading is the advised
remediation path. There are no known workarounds for this vulnerability. (CVE-2023-24815)

See Also

https://github.com/advisories/GHSA-53jx-vvf9-4x38

Plugin Details

Severity: Medium

ID: 410532

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2023-24815

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/10/2023

Vulnerability Publication Date: 2/9/2023

Reference Information

CVE: CVE-2023-24815

cwe: CWE-22