CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
EPSS
Percentile
76.6%
The remote web server uses a version of Grails, an open source web application framework for JVM, that is affected by an information disclosure vulnerability. Specifically, its ‘resources’ plug-in fails to restrict access to resources located under an application’s ‘WEB-INF’ and ‘META-INF’ directories by default. A remote attacker could leverage this to retrieve the contents of class or configuration files, such as web.xml, which should be private, including in other web applications using directory traversal sequences.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(72757);
script_version("1.15");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2014-0053", "CVE-2014-2857", "CVE-2014-2858");
script_bugtraq_id(65678, 67071, 67073);
script_name(english:"Grails resources plug-in WEB-INF / META-INF File Disclosure");
script_set_attribute(attribute:"synopsis", value:
"A Java web application framework in use on the remote web server is
affected by an information disclosure vulnerability.");
script_set_attribute(attribute:"description", value:
"The remote web server uses a version of Grails, an open source web
application framework for JVM, that is affected by an information
disclosure vulnerability. Specifically, its 'resources' plug-in fails
to restrict access to resources located under an application's
'WEB-INF' and 'META-INF' directories by default. A remote attacker
could leverage this to retrieve the contents of class or configuration
files, such as web.xml, which should be private, including in other
web applications using directory traversal sequences.");
script_set_attribute(attribute:"see_also", value:"https://twitter.com/Ramsharan065/status/434975409134792704");
script_set_attribute(attribute:"see_also", value:"https://pivotal.io/security/cve-2014-0053");
script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2014/Feb/194");
script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2014/Feb/267");
script_set_attribute(attribute:"solution", value:
"Upgrade the 'resources' plug-in to 1.2.6, configure it to block access
to resources under 'WEB-INF' and 'META-INF', and redploy the affected
applications.
Alternatively, block access to the 'WEB-INF' and 'META-INF'
directories in a reverse proxy.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-2858");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2014/02/16");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/03/01");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:springsource:grails");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2014-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("http_version.nasl", "webmirror.nasl");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("url_func.inc");
include("webapp_func.inc");
include("data_protection.inc");
port = get_http_port(default:80);
dirs = get_kb_list("www/"+port+"/content/directories");
if (isnull(dirs)) dirs = cgi_dirs();
files = make_list('web.xml');
if (report_paranoia == 2) files = make_list(files, 'MANIFEST.MF', 'sitemesh.xml');
# Loop through possible webapps.
#
# nb: unless thorough_tests is enabled, we'll only scan a couple of directories.
max_apps = 10;
foreach webapp (make_list(dirs))
{
foreach file (files)
{
if ('MANIFEST.MF' == file) url = webapp + '/static/./META-INF/' + file;
else url = webapp + '/static/./WEB-INF/' + file;
res = http_send_recv3(method:"GET", item:url, port:port, exit_on_fail:TRUE);
if (
(
'web.xml' == file &&
'application/xml' >< res[1] &&
'<web-app xmlns' >< res[2] &&
'grails.web.servlet.GrailsDispatcherServlet</servlet-class>' >< res[2]
) ||
(
'MANIFEST.MF' == file &&
'Manifest-Version:' >< res[2] &&
'Grails-Version:' >< res[2]
) ||
(
'sitemesh.xml' == file &&
'application/xml' >< res[1] &&
'<sitemesh>' >< res[2] &&
'grails.web.sitemesh.GrailsHTMLPageParser' >< res[2]
)
)
{
report = NULL;
attach_file = NULL;
output = NULL;
req = http_last_sent_request();
request = NULL;
if (report_verbosity > 0)
{
report =
'\n' + "Nessus was able to obtain the contents of the '" + file + "' with" +
'\n' + 'the following request :' +
'\n' +
'\n ' + req +
'\n';
if (report_verbosity > 1)
{
output = data_protection::sanitize_user_full_redaction(output:chomp(res[2]));
attach_file = file;
request = make_list(req);
contents = res[2];
}
}
security_report_v4(port:port,
extra:report,
severity:SECURITY_WARNING,
request:request,
file:attach_file,
output:output);
exit(0);
}
}
if (!thorough_tests && --max_apps == 0) break;
}
if (thorough_tests) exit(0, "The web server listening on port "+port+" does not appear to be affected.");
else exit(0, "No vulnerable web apps were found on the web server listening on port "+port+".");
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0053
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2857
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2858
pivotal.io/security/cve-2014-0053
seclists.org/fulldisclosure/2014/Feb/194
seclists.org/fulldisclosure/2014/Feb/267
twitter.com/Ramsharan065/status/434975409134792704