Uploaded image for project: 'Application Controller'
  1. Application Controller
  2. APPC-656 Review Security issues reported by Nexus IQ
  3. APPC-841

Nexus IQ Issue: org.glassfish.grizzly : grizzly-http : 2.3.28

XMLWordPrintable

    • Icon: Sub-task Sub-task
    • Resolution: Done
    • Icon: Medium Medium
    • Beijing Release
    • Beijing Release
    • APPC
    • None

      Explanation
      The Oracle GlassFish Server Open Source Edition is vulnerable to Directory Traversal. The set() function in the CharChunk class uses UTF8Decoder class to convert from UTF8 bytes to chars, which allows URL encoded characters such as “%C0%2F” without properly escaping them. An attacker can exploit this vulnerability on the admin console by crafting a GET request containing encoded sequences such as “..%C0%2F”, and potentially gain access to arbitrary files beyond the allowed root directory.
       
      Detection
      The application is vulnerable by using this component.
       
      Recommendation
      We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

      This issue depends on cdp-pal.

      [INFO] +- com.att.cdp:cdp-pal-openstack:jar:1.1.25.6-oss:compile
      [INFO] |  +- org.yaml:snakeyaml:jar:1.15:compile
      [INFO] |  +- com.att.woorea:keystone-client:jar:3.3.28-oss:compile
      [INFO] |  |  +- com.att.woorea:openstack-client:jar:3.3.28-oss:compile
      [INFO] |  |  - com.att.woorea:keystone-model:jar:3.3.28-oss:compile
      [INFO] |  +- com.att.woorea:nova-client:jar:3.3.28-oss:compile
      [INFO] |  |  - com.att.woorea:nova-model:jar:3.3.28-oss:compile
      [INFO] |  +- com.att.woorea:cinder-client:jar:3.3.28-oss:compile
      [INFO] |  |  - com.att.woorea:cinder-model:jar:3.3.28-oss:compile
      [INFO] |  +- com.att.woorea:glance-client:jar:3.3.28-oss:compile
      [INFO] |  |  - com.att.woorea:glance-model:jar:3.3.28-oss:compile
      [INFO] |  +- com.att.woorea:heat-client:jar:3.3.28-oss:compile
      [INFO] |  |  - com.att.woorea:heat-model:jar:3.3.28-oss:compile
      [INFO] |  +- com.att.woorea:quantum-client:jar:3.3.28-oss:compile
      [INFO] |  |  - com.att.woorea:quantum-model:jar:3.3.28-oss:compile
      [INFO] |  +- com.att.woorea:jersey2-connector:jar:3.3.28-oss:compile
      [INFO] |  |  - org.glassfish.jersey.core:jersey-client:jar:2.25.1:compile
      [INFO] |  +- org.glassfish.jersey.media:jersey-media-json-jackson:jar:2.25.1:compile
      [INFO] |  |  - org.glassfish.jersey.ext:jersey-entity-filtering:jar:2.25.1:compile
      [INFO] |  - org.glassfish.jersey.connectors:jersey-grizzly-connector:jar:2.25.1:compile
      [INFO] |     +- org.glassfish.grizzly:grizzly-http-client:jar:1.11:compile
      [INFO] |     +- org.glassfish.grizzly:grizzly-websockets:jar:2.3.28:compile
      [INFO] |     |  +- org.glassfish.grizzly:grizzly-framework:jar:2.3.28:compile
      [INFO] |     |  - org.glassfish.grizzly:grizzly-http:jar:2.3.28:compile
      [INFO] |     - org.glassfish.grizzly:connection-pool:jar:2.3.28:compile

            ry303t ry303t
            takamune_cho takamune_cho
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: