Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue,  2 Aug 2016 18:43:16 -0400 (EDT)
From: cve-assign@...re.org
To: berdario@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: CSRF in Grails console

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> The Grails console (aka Grails Debug Console, Grails Web Console) was
> vulnerable to CSRF.
> 
> https://grails.org/plugin/console
> https://github.com/sheehan/grails-console
> 
> (this is the plugin, not to be confused with the command line grails
> console: http://docs.grails.org/3.1.1/ref/Command%20Line/console.html
> )
> 
> The fix has been made available in versions 1.5.10, 2.0.7. Versions up
> to 1.5.9 and 2.0.6 are affected.
> 
> This allows an attacker to (create pages that when visited by a victim
> will) forge requests that will execute arbitrary groovy code on the
> backend (the documentation explains how to enable it in production,
> and granting access to administrators only, so this is not simply a
> development tool).
> 
> Bug tracker: https://github.com/sheehan/grails-console/issues/54
> fix commit: https://github.com/sheehan/grails-console/commit/155e0f5f0fe3b3bd7027d730fa00bf0655f28207

Use CVE-2016-6521.

(Conceivably this could have had a CVE-2015 number if
https://github.com/sheehan/grails-console/issues/24 were interpreted as
a vulnerability disclosure; however issues/24 seems too vague.)


> Unfortunately the Grails framework itself ships with some horribly
> insecure defaults. As of 3.1.9 the template code dropped by `grails
> create-app` will have a UrlMappings.groovy that will allow access to
> Grails controllers actions via any HTTP method.

It is possible that a behavior like this could have its own CVE ID if
it is undocumented or interacts incorrectly with run-app. For example,
http://docs.grails.org/1.3.9/guide/single.html#6.4.5%20Mapping%20to%20HTTP%20methods
says "the HTTP method (GET, POST, PUT or DELETE)." Do you mean, for
example, that the OPTIONS or TRACE method can allow access, but the
documentation suggests that only GET, POST, PUT, and DELETE need to be
anticipated?

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXoSGRAAoJEHb/MwWLVhi2gEIP/iwnGiItegQOEYvx1qpyJvGP
+dTJ3xgvB0Zc8L5e4VD6AUd2d687GKeLB4juOYWR9h7TGyu62X6KMfAVfSl/4D5n
3N+DoZHuPIw6GlW9apWA9HeHg/PqUxV7in41wDRXkn1m1eD2Jz5zxm+ZaBrKmoOy
DNFnjSSaUkNuQtPq2qstIGxZ+iLBlBSH0k4kR5MTIUEoZZ3E2DZrP+0x5v+8MaZn
GCDfhJ0WWxUMr0d8lbpntZGWJU0hbacg2ImKDFSwhNkRR8r5CMzEK62p0ZqiEWNU
0udvX42XXM4YUXg54fXpN8lkt6qd8QIpa0FXlFLN/Oa2auI2pU+RnQ607yc8KGzN
1tiWXGQtxiWRQcZ8V93K5Ytj99qbpfyPRQpLtEX1GCilu/Bog2HCv9mFWmgTqib0
3/80z6599TFmeSibxIz21qkGPtXjwxjEhwdaDuUNP3Cc6xQK9pS9Vq/GmoGCNR46
ov/CpWbWEK058n6or0u7gl6rsJJNh55XKrXjfujrY+Dly3FQ0pULXPWnbsnFS4Vj
J+nNiQnX2wuYOmf+RoRn1H7rxFj5+9+pkrQFNbZZFKUpmXchyI6TTPaq5Cfpm9X8
oyyEV4ykiaOpH7CgHavqbhgfV3FkDBCPWb0iN2tgpK1rNEl84b18afRlVq+zVNBN
INdR8i7XC8AJf0piGF8J
=yHDR
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.