Platform
java
Component
io.vertx:vertx-web
Fixed in
3.4.1
3.9.4
CVE-2019-17640 is a critical Path Traversal vulnerability affecting Eclipse Vert.x Web, a reactive toolkit for building asynchronous applications. This flaw allows attackers to bypass intended file access restrictions and potentially read arbitrary files on the server. The vulnerability impacts versions up to 3.9.3 and early 4.x milestone releases. A fix is available in version 3.9.4.
The core of this vulnerability lies in how Vert.x Web handles backslashes in file paths on Windows systems. The StaticHandler component fails to properly sanitize these backslashes, allowing an attacker to construct a path that escapes the intended webroot directory. This escape can lead to the exposure of sensitive files, including configuration files, source code, or even system files, depending on the server's permissions and file system structure. Successful exploitation could result in complete compromise of the server and data exfiltration. While the vulnerability description focuses on Windows, the underlying logic flaw could potentially be exploited on other operating systems with appropriate path manipulation techniques.
CVE-2019-17640 was publicly disclosed on February 10, 2022. While no active exploitation campaigns have been definitively linked to this CVE, the critical severity and relatively straightforward exploitation path make it a potential target. There are publicly available proof-of-concept exploits demonstrating the vulnerability. It is not currently listed on CISA KEV.
Exploit Status
EPSS
1.69% (82% percentile)
CVSS Vector
The primary mitigation for CVE-2019-17640 is to upgrade to Eclipse Vert.x Web version 3.9.4 or later. This version includes a fix that properly handles backslashes in file paths, preventing the path traversal. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing suspicious path patterns, particularly those with excessive or unusual backslashes. Additionally, review and restrict file system permissions to minimize the potential impact of a successful attack. Ensure the webroot directory is properly configured and secured.
Update to a version of Eclipse Vert.x later than 3.9.4 or 4.0.0.Beta3 that fixes the path traversal vulnerability caused by incorrect backslash handling on Windows systems. See the release notes for more details on the upgrade.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-17640 is a critical vulnerability in Eclipse Vert.x Web allowing attackers to bypass file access restrictions and potentially read sensitive files due to improper handling of backslashes on Windows.
You are affected if you are using Eclipse Vert.x Web versions 3.9.3 or earlier, or any of the 4.x milestone releases mentioned in the description.
Upgrade to Eclipse Vert.x Web version 3.9.4 or later to resolve this vulnerability. Consider WAF rules as a temporary mitigation if upgrading is not immediately possible.
While no confirmed active exploitation campaigns are publicly known, the vulnerability's critical severity and ease of exploitation make it a potential target.
Refer to the Eclipse Vert.x security advisory for detailed information and updates: https://security.eclipse.org/vuln/ecossecurity-2019-0014
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.