Date: Tue, 2 Aug 2016 18:43:16 -0400 (EDT) From: cve-assign@...re.org To: berdario@...il.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request: CSRF in Grails console -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > The Grails console (aka Grails Debug Console, Grails Web Console) was > vulnerable to CSRF. > > https://grails.org/plugin/console > https://github.com/sheehan/grails-console > > (this is the plugin, not to be confused with the command line grails > console: http://docs.grails.org/3.1.1/ref/Command%20Line/console.html > ) > > The fix has been made available in versions 1.5.10, 2.0.7. Versions up > to 1.5.9 and 2.0.6 are affected. > > This allows an attacker to (create pages that when visited by a victim > will) forge requests that will execute arbitrary groovy code on the > backend (the documentation explains how to enable it in production, > and granting access to administrators only, so this is not simply a > development tool). > > Bug tracker: https://github.com/sheehan/grails-console/issues/54 > fix commit: https://github.com/sheehan/grails-console/commit/155e0f5f0fe3b3bd7027d730fa00bf0655f28207 Use CVE-2016-6521. (Conceivably this could have had a CVE-2015 number if https://github.com/sheehan/grails-console/issues/24 were interpreted as a vulnerability disclosure; however issues/24 seems too vague.) > Unfortunately the Grails framework itself ships with some horribly > insecure defaults. As of 3.1.9 the template code dropped by `grails > create-app` will have a UrlMappings.groovy that will allow access to > Grails controllers actions via any HTTP method. It is possible that a behavior like this could have its own CVE ID if it is undocumented or interacts incorrectly with run-app. For example, http://docs.grails.org/1.3.9/guide/single.html#6.4.5%20Mapping%20to%20HTTP%20methods says "the HTTP method (GET, POST, PUT or DELETE)." Do you mean, for example, that the OPTIONS or TRACE method can allow access, but the documentation suggests that only GET, POST, PUT, and DELETE need to be anticipated? - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXoSGRAAoJEHb/MwWLVhi2gEIP/iwnGiItegQOEYvx1qpyJvGP +dTJ3xgvB0Zc8L5e4VD6AUd2d687GKeLB4juOYWR9h7TGyu62X6KMfAVfSl/4D5n 3N+DoZHuPIw6GlW9apWA9HeHg/PqUxV7in41wDRXkn1m1eD2Jz5zxm+ZaBrKmoOy DNFnjSSaUkNuQtPq2qstIGxZ+iLBlBSH0k4kR5MTIUEoZZ3E2DZrP+0x5v+8MaZn GCDfhJ0WWxUMr0d8lbpntZGWJU0hbacg2ImKDFSwhNkRR8r5CMzEK62p0ZqiEWNU 0udvX42XXM4YUXg54fXpN8lkt6qd8QIpa0FXlFLN/Oa2auI2pU+RnQ607yc8KGzN 1tiWXGQtxiWRQcZ8V93K5Ytj99qbpfyPRQpLtEX1GCilu/Bog2HCv9mFWmgTqib0 3/80z6599TFmeSibxIz21qkGPtXjwxjEhwdaDuUNP3Cc6xQK9pS9Vq/GmoGCNR46 ov/CpWbWEK058n6or0u7gl6rsJJNh55XKrXjfujrY+Dly3FQ0pULXPWnbsnFS4Vj J+nNiQnX2wuYOmf+RoRn1H7rxFj5+9+pkrQFNbZZFKUpmXchyI6TTPaq5Cfpm9X8 oyyEV4ykiaOpH7CgHavqbhgfV3FkDBCPWb0iN2tgpK1rNEl84b18afRlVq+zVNBN INdR8i7XC8AJf0piGF8J =yHDR -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.