oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request: CSRF in Grails console

From: cve-assign () mitre org
Date: Tue, 2 Aug 2016 18:43:16 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


The Grails console (aka Grails Debug Console, Grails Web Console) was
vulnerable to CSRF.

https://grails.org/plugin/console
https://github.com/sheehan/grails-console

(this is the plugin, not to be confused with the command line grails
console: http://docs.grails.org/3.1.1/ref/Command%20Line/console.html
)

The fix has been made available in versions 1.5.10, 2.0.7. Versions up
to 1.5.9 and 2.0.6 are affected.

This allows an attacker to (create pages that when visited by a victim
will) forge requests that will execute arbitrary groovy code on the
backend (the documentation explains how to enable it in production,
and granting access to administrators only, so this is not simply a
development tool).

Bug tracker: https://github.com/sheehan/grails-console/issues/54
fix commit: https://github.com/sheehan/grails-console/commit/155e0f5f0fe3b3bd7027d730fa00bf0655f28207


Use CVE-2016-6521.

(Conceivably this could have had a CVE-2015 number if
https://github.com/sheehan/grails-console/issues/24 were interpreted as
a vulnerability disclosure; however issues/24 seems too vague.)



Unfortunately the Grails framework itself ships with some horribly
insecure defaults. As of 3.1.9 the template code dropped by `grails
create-app` will have a UrlMappings.groovy that will allow access to
Grails controllers actions via any HTTP method.


It is possible that a behavior like this could have its own CVE ID if
it is undocumented or interacts incorrectly with run-app. For example,
http://docs.grails.org/1.3.9/guide/single.html#6.4.5%20Mapping%20to%20HTTP%20methods
says "the HTTP method (GET, POST, PUT or DELETE)." Do you mean, for
example, that the OPTIONS or TRACE method can allow access, but the
documentation suggests that only GET, POST, PUT, and DELETE need to be
anticipated?

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXoSGRAAoJEHb/MwWLVhi2gEIP/iwnGiItegQOEYvx1qpyJvGP
+dTJ3xgvB0Zc8L5e4VD6AUd2d687GKeLB4juOYWR9h7TGyu62X6KMfAVfSl/4D5n
3N+DoZHuPIw6GlW9apWA9HeHg/PqUxV7in41wDRXkn1m1eD2Jz5zxm+ZaBrKmoOy
DNFnjSSaUkNuQtPq2qstIGxZ+iLBlBSH0k4kR5MTIUEoZZ3E2DZrP+0x5v+8MaZn
GCDfhJ0WWxUMr0d8lbpntZGWJU0hbacg2ImKDFSwhNkRR8r5CMzEK62p0ZqiEWNU
0udvX42XXM4YUXg54fXpN8lkt6qd8QIpa0FXlFLN/Oa2auI2pU+RnQ607yc8KGzN
1tiWXGQtxiWRQcZ8V93K5Ytj99qbpfyPRQpLtEX1GCilu/Bog2HCv9mFWmgTqib0
3/80z6599TFmeSibxIz21qkGPtXjwxjEhwdaDuUNP3Cc6xQK9pS9Vq/GmoGCNR46
ov/CpWbWEK058n6or0u7gl6rsJJNh55XKrXjfujrY+Dly3FQ0pULXPWnbsnFS4Vj
J+nNiQnX2wuYOmf+RoRn1H7rxFj5+9+pkrQFNbZZFKUpmXchyI6TTPaq5Cfpm9X8
oyyEV4ykiaOpH7CgHavqbhgfV3FkDBCPWb0iN2tgpK1rNEl84b18afRlVq+zVNBN
INdR8i7XC8AJf0piGF8J
=yHDR
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: