In the Grails Web-Frame, designed to develop Web applications in accordance with the MVC, Groovy and other languages for JVM, INDEIDED vulnerability , allows remotely execute its code in the environment in which the Web application is executed. The operation of the vulnerability is carried out through sending a specially executed request that provides the attacking access to Classloader. The problem is caused by a shortage in the logic of data binding ( data-binding ), which is used as when creating objects, and with manual binding using Binddata. The problem is fixed in issues
3.3.15, 4.1.1, 5.1.9 and 5.2.1.
You can additionally note vulnerability in the Tzinfo raby module, which allows you to load the content Any file, as far as the rights of the attacked application allow. Vulnerability is associated with the lack of proper verification for the use of special systems in the name of the clock belt indicated in the Tzinfo method :: Timezone.get. The problem affects the applications transmitting to Tzinfo :: Timezone.get unverified external data. For example, to read the file/tMP/Payload, you can specify the value similar to “Foo n /../../../ tmp/Payload”.