CVE Daily – Grails Framework (High+Critical)

[Critical] CVE-2022-41923 – Grails Spring Security Core plugin is vulnerable to privilege escalation. The vu...

Wed, 23 Nov 2022 19:15:12 +0000

Critical CVE-2022-41923

Grails Spring Security Core plugin is vulnerable to privilege escalation. The vulnerability allows an attacker access to one endpoint (i.e. the targeted endpoint) using the authorization requirements of a different endpoint (i.e. the donor endpoint). In some Grails framework applications, access to the targeted endpoint will be granted based on meeting the authorization requirements of the donor…

CVSS: 9.1 · CWE: CWE-269

View on NVD

[Critical] CVE-2022-35912 – In grails-databinding in Grails before 3.3.15, 4.x before 4.1.1, 5.x before 5.1...

Tue, 19 Jul 2022 16:15:08 +0000

Critical CVE-2022-35912

In grails-databinding in Grails before 3.3.15, 4.x before 4.1.1, 5.x before 5.1.9, and 5.2.x before 5.2.1 (at least when certain Java 8 configurations are used), data binding allows a remote attacker to execute code by gaining access to the class loader.

CVSS: 9.8 · CWE: N/A

View on NVD

[High] CVE-2019-12728 – Grails before 3.3.10 used cleartext HTTP to resolve the SDKMan notification serv...

Tue, 04 Jun 2019 13:29:00 +0000

High CVE-2019-12728

Grails before 3.3.10 used cleartext HTTP to resolve the SDKMan notification service. NOTE: users' apps were not resolving dependencies over cleartext HTTP.

CVSS: 8.1 · CWE: CWE-494

View on NVD

[High] CVE-2018-1000817 – Asset Pipeline Grails Plugin Asset-pipeline plugin version Prior to 2.14.1.1, 2...

Thu, 20 Dec 2018 15:29:00 +0000

High CVE-2018-1000817

Asset Pipeline Grails Plugin Asset-pipeline plugin version Prior to 2.14.1.1, 2.15.1 and 3.0.6 contains a Incorrect Access Control vulnerability in Applications deployed in Jetty that can result in Download .class files and any arbitrary file. This attack appear to be exploitable via Specially crafted GET request containing directory traversal from assets-pipeline context. This vulnerability appe…

CVSS: 7.5 · CWE: CWE-22

View on NVD

[High] CVE-2018-17605 – An issue was discovered in the Asset Pipeline plugin before 3.0.4 for Grails. An...

Fri, 28 Sep 2018 09:29:01 +0000

High CVE-2018-17605

An issue was discovered in the Asset Pipeline plugin before 3.0.4 for Grails. An attacker can perform directory traversal via a crafted request when a servlet-based application is executed in Jetty, because there is a classloader vulnerability that can allow a reverse file traversal route in AssetPipelineFilter.groovy or AssetPipelineFilterCore.groovy.

CVSS: 7.5 · CWE: CWE-22

View on NVD

[High] CVE-2014-3626 – The Grails Resource Plugin often has to exchange URIs for resources with other i...

Mon, 19 Mar 2018 13:29:00 +0000

High CVE-2014-3626

The Grails Resource Plugin often has to exchange URIs for resources with other internal components. Those other components will decode any URI passed to them. To protect against directory traversal the Grails Resource Plugin did the following: normalized the URI, checked the normalized URI did not step outside the appropriate root directory (e.g. the web application root), decoded the URI and che…

CVSS: 7.5 · CWE: CWE-22

View on NVD

[High] CVE-2016-6521 – Cross-site request forgery (CSRF) vulnerability in Grails console (aka Grails De...

Mon, 23 Jan 2017 21:59:02 +0000

High CVE-2016-6521

Cross-site request forgery (CSRF) vulnerability in Grails console (aka Grails Debug Console and Grails Web Console) 2.0.7, 1.5.10, and earlier allows remote attackers to hijack the authentication of users for requests that execute arbitrary Groovy code via unspecified vectors.

CVSS: 8.8 · CWE: CWE-352

View on NVD