Path traversal in Assets controller
CVE ID
CVE-2018-13864
Date
16 Jul 2018
Description
Play Assets controller was not correctly handling paths when the application was running on Windows. That was then exposing the application to a path traversal exploit.
Impact
When an application is running on Windows, it is possible to access files on the classpath stored outside the public folder, such as the conf/application.conf file.
Note that this issue only affects Windows, it does not affect Linux.
Affected versions
- Play 2.6.12-2.6.15
Versions prior to 2.6.12, including 2.5.x and earlier, are not affected by this vulnerability.
Fixes
This issue is fixed in Play 2.6.16.
CVSS metrics (more info)
Overall: 6.7
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
Acknowledgements
Credit for finding this vulnerability goes to the Qihoo360 Redteam.