3.4.1
3.9.4
CVE-2019-17640 is a critical Path Traversal vulnerability affecting Eclipse Vert.x Web, a reactive toolkit for building asynchronous applications. This flaw allows attackers to bypass intended file access restrictions and potentially read arbitrary files on the server. The vulnerability impacts versions up to 3.9.3 and early 4.x milestone releases. A fix is available in version 3.9.4.
The core of this vulnerability lies in how Vert.x Web handles backslashes in file paths on Windows systems. The StaticHandler component fails to properly sanitize these backslashes, allowing an attacker to construct a path that escapes the intended webroot directory. This escape can lead to the exposure of sensitive files, including configuration files, source code, or even system files, depending on the server's permissions and file system structure. Successful exploitation could result in complete compromise of the server and data exfiltration. While the vulnerability description focuses on Windows, the underlying logic flaw could potentially be exploited on other operating systems with appropriate path manipulation techniques.
CVE-2019-17640 was publicly disclosed on February 10, 2022. While no active exploitation campaigns have been definitively linked to this CVE, the critical severity and relatively straightforward exploitation path make it a potential target. There are publicly available proof-of-concept exploits demonstrating the vulnerability. It is not currently listed on CISA KEV.
Organizations deploying Vert.x Web applications, particularly those running on Windows servers or with legacy configurations that haven't been updated to version 3.9.4, are at significant risk. Shared hosting environments utilizing Vert.x Web are also vulnerable, as they may not have control over the underlying Vert.x Web version.
• java / server:
find /opt/vertx/lib -name "*vertx-web-*.jar" -print0 | xargs -0 grep -iE 'StaticHandler.*backslashes'• java / supply-chain: Check dependencies in your project's build file (pom.xml or build.gradle) for Vert.x Web versions prior to 3.9.4. • generic web: Review access logs for requests containing unusual or excessive backslashes in the file path, especially those targeting static resources.
discovery
disclosure
poc
patch
漏洞利用状态
EPSS
1.69% (82% 百分位)
CVSS 向量
The primary mitigation for CVE-2019-17640 is to upgrade to Eclipse Vert.x Web version 3.9.4 or later. This version includes a fix that properly handles backslashes in file paths, preventing the path traversal. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing suspicious path patterns, particularly those with excessive or unusual backslashes. Additionally, review and restrict file system permissions to minimize the potential impact of a successful attack. Ensure the webroot directory is properly configured and secured.
升级到 3.9.4 或 4.0.0.Beta3 之后的 Eclipse Vert.x 版本,以修复因 Windows 系统中反斜杠处理不当而引起的路径遍历漏洞。请参阅版本说明以获取有关升级的更多详细信息。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2019-17640 is a critical vulnerability in Eclipse Vert.x Web allowing attackers to bypass file access restrictions and potentially read sensitive files due to improper handling of backslashes on Windows.
You are affected if you are using Eclipse Vert.x Web versions 3.9.3 or earlier, or any of the 4.x milestone releases mentioned in the description.
Upgrade to Eclipse Vert.x Web version 3.9.4 or later to resolve this vulnerability. Consider WAF rules as a temporary mitigation if upgrading is not immediately possible.
While no confirmed active exploitation campaigns are publicly known, the vulnerability's critical severity and ease of exploitation make it a potential target.
Refer to the Eclipse Vert.x security advisory for detailed information and updates: https://security.eclipse.org/vuln/ecossecurity-2019-0014
上传你的 pom.xml 文件,立即知道是否受影响。