oss-sec mailing list archives
Re: CVE Request: CSRF in Grails console
From: cve-assign () mitre org
Date: Tue, 2 Aug 2016 18:43:16 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
The Grails console (aka Grails Debug Console, Grails Web Console) was vulnerable to CSRF. https://grails.org/plugin/console https://github.com/sheehan/grails-console (this is the plugin, not to be confused with the command line grails console: http://docs.grails.org/3.1.1/ref/Command%20Line/console.html ) The fix has been made available in versions 1.5.10, 2.0.7. Versions up to 1.5.9 and 2.0.6 are affected. This allows an attacker to (create pages that when visited by a victim will) forge requests that will execute arbitrary groovy code on the backend (the documentation explains how to enable it in production, and granting access to administrators only, so this is not simply a development tool). Bug tracker: https://github.com/sheehan/grails-console/issues/54 fix commit: https://github.com/sheehan/grails-console/commit/155e0f5f0fe3b3bd7027d730fa00bf0655f28207
Use CVE-2016-6521. (Conceivably this could have had a CVE-2015 number if https://github.com/sheehan/grails-console/issues/24 were interpreted as a vulnerability disclosure; however issues/24 seems too vague.)
Unfortunately the Grails framework itself ships with some horribly insecure defaults. As of 3.1.9 the template code dropped by `grails create-app` will have a UrlMappings.groovy that will allow access to Grails controllers actions via any HTTP method.
It is possible that a behavior like this could have its own CVE ID if it is undocumented or interacts incorrectly with run-app. For example, http://docs.grails.org/1.3.9/guide/single.html#6.4.5%20Mapping%20to%20HTTP%20methods says "the HTTP method (GET, POST, PUT or DELETE)." Do you mean, for example, that the OPTIONS or TRACE method can allow access, but the documentation suggests that only GET, POST, PUT, and DELETE need to be anticipated? - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXoSGRAAoJEHb/MwWLVhi2gEIP/iwnGiItegQOEYvx1qpyJvGP +dTJ3xgvB0Zc8L5e4VD6AUd2d687GKeLB4juOYWR9h7TGyu62X6KMfAVfSl/4D5n 3N+DoZHuPIw6GlW9apWA9HeHg/PqUxV7in41wDRXkn1m1eD2Jz5zxm+ZaBrKmoOy DNFnjSSaUkNuQtPq2qstIGxZ+iLBlBSH0k4kR5MTIUEoZZ3E2DZrP+0x5v+8MaZn GCDfhJ0WWxUMr0d8lbpntZGWJU0hbacg2ImKDFSwhNkRR8r5CMzEK62p0ZqiEWNU 0udvX42XXM4YUXg54fXpN8lkt6qd8QIpa0FXlFLN/Oa2auI2pU+RnQ607yc8KGzN 1tiWXGQtxiWRQcZ8V93K5Ytj99qbpfyPRQpLtEX1GCilu/Bog2HCv9mFWmgTqib0 3/80z6599TFmeSibxIz21qkGPtXjwxjEhwdaDuUNP3Cc6xQK9pS9Vq/GmoGCNR46 ov/CpWbWEK058n6or0u7gl6rsJJNh55XKrXjfujrY+Dly3FQ0pULXPWnbsnFS4Vj J+nNiQnX2wuYOmf+RoRn1H7rxFj5+9+pkrQFNbZZFKUpmXchyI6TTPaq5Cfpm9X8 oyyEV4ykiaOpH7CgHavqbhgfV3FkDBCPWb0iN2tgpK1rNEl84b18afRlVq+zVNBN INdR8i7XC8AJf0piGF8J =yHDR -----END PGP SIGNATURE-----
Current thread:
- CVE Request: CSRF in Grails console Dario Bertini (Aug 01)
- Re: CVE Request: CSRF in Grails console cve-assign (Aug 02)
- Re: CVE Request: CSRF in Grails console Dario Bertini (Aug 02)
- Grails Console is still vulnerable to CSRF CVE-2016-6521 Dario Bertini (Aug 03)
- Re: CVE Request: CSRF in Grails console cve-assign (Aug 02)