GridGain up to 1.7.15/1.8.11/1.9.6/8.1.4 GUI Console path traversal

Summaryinfo

A vulnerability classified as problematic has been found in GridGain up to 1.7.15/1.8.11/1.9.6/8.1.4. Affected by this issue is some unknown functionality of the component GUI Console. The manipulation leads to path traversal. This vulnerability is listed as CVE-2017-14614. The attack may be initiated remotely. There is no available exploit. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability was found in GridGain up to 1.7.15/1.8.11/1.9.6/8.1.4. It has been rated as problematic. This issue affects some unknown processing of the component GUI Console. The manipulation with an unknown input leads to a path traversal vulnerability. Using CWE to declare the problem leads to CWE-22. The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Impacted is confidentiality. The summary by CVE is:

Directory traversal vulnerability in the Visor GUI Console in GridGain before 1.7.16, 1.8.x before 1.8.12, 1.9.x before 1.9.7, and 8.x before 8.1.5 allows remote authenticated users to read arbitrary files on remote cluster nodes via a crafted path.

The bug was discovered 10/05/2017. The weakness was presented 10/10/2017 (oss-sec). It is possible to read the advisory at openwall.com. The identification of this vulnerability is CVE-2017-14614 since 09/20/2017. The attack may be initiated remotely. Required for exploitation is a simple authentication. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1006 according to MITRE ATT&CK.

The vulnerability was handled as a non-public zero-day exploit for at least 4 days. During that time the estimated underground price was around $0-$5k.

Upgrading to version 1.7.16, 1.8.12, 1.9.7 or 8.1.5 eliminates this vulnerability.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Name

• GridGain

Version

• 1.7.0
• 1.7.1
• 1.7.2
• 1.7.3
• 1.7.4
• 1.7.5
• 1.7.6
• 1.7.7
• 1.7.8
• 1.7.9
• 1.7.10
• 1.7.11
• 1.7.12
• 1.7.13
• 1.7.14
• 1.7.15
• 1.8.0
• 1.8.1
• 1.8.2
• 1.8.3
• 1.8.4
• 1.8.5
• 1.8.6
• 1.8.7
• 1.8.8
• 1.8.9
• 1.8.10
• 1.8.11
• 1.9.0
• 1.9.1
• 1.9.2
• 1.9.3
• 1.9.4
• 1.9.5
• 1.9.6
• 8.1.0
• 8.1.1
• 8.1.2
• 8.1.3
• 8.1.4

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion