CVE-2023-24815

Description

### Summary When running vertx web applications that serve files using `StaticHandler` on Windows Operating Systems and Windows File Systems, if the mount point is a wildcard (`*`) then an attacker can exfiltrate any class path resource. ### Details When computing the relative path to locate the resource, in case of wildcards, the code: https://github.com/vert-x3/vertx-web/blob/62c0d66fa1c179ae6a4d57344631679a2b97e60f/vertx-web/src/main/java/io/vertx/ext/web/impl/Utils.java#L83 returns the user input (without validation) as the segment to lookup. Even though checks are performed to avoid escaping the sandbox, given that the input was not sanitized `\` are not properly handled and an attacker can build a path that is valid within the classpath. ### PoC https://github.com/adrien-aubert-drovio/vertx-statichandler-windows-traversal-path-vulnerability

How to fix CVE-2023-24815

To remediate CVE-2023-24815, upgrade the affected package to a fixed version below.

• —upgrade to 4.3.8 or later

Is CVE-2023-24815 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 4.0.0, < 4.3.8

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-24815
• PATCHgithub.com/vert-x3/vertx-web
• WEBgithub.com/vert-x3/vertx-web/blob/62c0d66fa1c179ae6a4d57344631679a2b97e60f/vertx-web/src/main/java/io/vertx/ext/web/impl/Utils.java#L83
• WEBgithub.com/vert-x3/vertx-web/commit/9e3a783b1d1a731055e9049078b1b1494ece9c15