Fwd: [grails-user] IMPORTANT: CVE-2014-0053 Information Disclosure in Grails applications
8 views
Skip to first unread message
UEHARA Junji
Feb 20, 2014, 5:12:17 AM2/20/14
to JGGUG
jggugのみなさま
--
UEHARA Junji
重要なGrailsの脆弱性に関する情報が届きましたので転送します。
grails 2.xをお使いの方は確認した方がよいです。
----------転送メッセージ----------
From: Graeme Rocher <graeme...@gmail.com>
日付: 2014年2月20日木曜日
件名: [grails-user] IMPORTANT: CVE-2014-0053 Information Disclosure in Grails applications
To: user <us...@grails.codehaus.org>
Hi all,
We recently were informed of a security vulnerability in the resources
plugin that ships with all Grails versions since 2.0.x.
If you application is not using the resources plugin you can safely
ignore this disclosure.
This vulnerability has been rectified in Grails 2.3.6 by explicitly
checking the default configuration for the resources plugin, but
earlier versions of Grails require the addition of the following code
to Config.groovy:
grails.resources.adhoc.includes = ['/images/**', '/css/**', '/js/**',
'/plugins/**']
grails.resources.adhoc.excludes = ['/WEB-INF/**']
The vulnerability is serious as an attacker could potentially download
your entire codebase so we recommend immediate action.
For further information and recommended solutions please read the
security disclosure:
http://cxsecurity.com/issue/WLB-2014020172?utm_source=twitterfeed&utm_medium=twitter&utm_content=bugtraq,+wlb,+cxsecurity
Thanks for your attention.
--
Graeme Rocher
Grails Project Lead
SpringSource
---------------------------------------------------------------------
To unsubscribe from this list, please visit:
http://xircles.codehaus.org/manage_email
----------転送メッセージ----------
From: Graeme Rocher <graeme...@gmail.com>
日付: 2014年2月20日木曜日
件名: [grails-user] IMPORTANT: CVE-2014-0053 Information Disclosure in Grails applications
To: user <us...@grails.codehaus.org>
Hi all,
We recently were informed of a security vulnerability in the resources
plugin that ships with all Grails versions since 2.0.x.
If you application is not using the resources plugin you can safely
ignore this disclosure.
This vulnerability has been rectified in Grails 2.3.6 by explicitly
checking the default configuration for the resources plugin, but
earlier versions of Grails require the addition of the following code
to Config.groovy:
grails.resources.adhoc.includes = ['/images/**', '/css/**', '/js/**',
'/plugins/**']
grails.resources.adhoc.excludes = ['/WEB-INF/**']
The vulnerability is serious as an attacker could potentially download
your entire codebase so we recommend immediate action.
For further information and recommended solutions please read the
security disclosure:
http://cxsecurity.com/issue/WLB-2014020172?utm_source=twitterfeed&utm_medium=twitter&utm_content=bugtraq,+wlb,+cxsecurity
Thanks for your attention.
--
Graeme Rocher
Grails Project Lead
SpringSource
---------------------------------------------------------------------
To unsubscribe from this list, please visit:
http://xircles.codehaus.org/manage_email
--
UEHARA Junji
Reply all
Reply to author
Forward
0 new messages