Arbitrary File Read Vulnerability

[RichoDemus]

Just posting it here so it gets visbility, I didn't write the original message:
http://marc.info/?l=full-disclosure&m=147814643630342&w=2

There appears to be a vulnerability which lets users read any file from the file system

[jakaarl]

Eeek! 8-O
If the core folks aren't available, I could take a stab at this tonight/tomorrow.

[nightwatchcyber]

CVE-2016-9177 has been assigned for this vulnerability:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9177

[jakaarl]

I wasn't able to reproduce in a minimal Spark app JAR, but it's indeed reproducible by running spark.examples.staticresources.StaticResources (in an IDE) and curling away at it. Will have to investigate more.

[jakaarl]

Not really having the time and peace to thoroughly investigate, but based on some quick tests:

• from IDE, both class path and external file resources are vulnerable
• running in a standalone Jetty JAR, only external resources are accessible

The difference in running in an IDE and running as a packaged up is probably either due to resources being inside a JAR file, or different class loader setup. Should try running in an unpackaged application.

[perwendel]

We are available. The emails "AJ" tried to send all got caught by gmail's spam filters (which this guy was aware of that it could be the case but "failed" to write in his emails shown on marc.info)
We are addressing this ASAP.

[perwendel]

Fixed with #701.
Spark 2.5.2 released http://search.maven.org/#artifactdetails%7Ccom.sparkjava%7Cspark-core%7C2.5.2%7Cbundle with this fix!

[mattwelke]

Noticed my IDE warned me about the vulnerability after I followed the tutorial on the site (https://sparkjava.com/tutorials/maven-setup). The tutorial uses version 2.5 right now.