Login Sign Up

CVE-2019-17640

9.8 CRITICAL
Path Traversal

📋 TL;DR

CVE-2019-17640 is a path traversal vulnerability in Eclipse Vert.x's StaticHandler component on Windows systems. It allows attackers to escape the configured webroot directory and access files in the current working directory by using backslashes in URLs. This affects Vert.x applications running on Windows that use StaticHandler to serve static files.

💻 Affected Systems

Products:
  • Eclipse Vert.x
Versions: 3.4.x up to 3.9.4, 4.0.0.milestone1 through 4.0.0.Beta3
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Windows systems due to backslash path handling. Requires StaticHandler to be configured and serving static files.

📦 What is this software?

Vert.x by Eclipse

View all CVEs affecting Vert.x →

Vert.x by Eclipse

View all CVEs affecting Vert.x →

Vert.x by Eclipse

View all CVEs affecting Vert.x →

Vert.x by Eclipse

View all CVEs affecting Vert.x →

Vert.x by Eclipse

View all CVEs affecting Vert.x →

Vert.x by Eclipse

View all CVEs affecting Vert.x →

Vert.x by Eclipse

View all CVEs affecting Vert.x →

Vert.x by Eclipse

View all CVEs affecting Vert.x →

Vert.x by Eclipse

View all CVEs affecting Vert.x →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through arbitrary file read, potentially leading to credential theft, configuration exposure, and lateral movement within the system.

🟠

Likely Case

Sensitive file disclosure including configuration files, source code, credentials, and other files accessible to the application user.

🟢

If Mitigated

Limited impact with proper file system permissions and defense-in-depth controls, potentially only exposing non-sensitive files.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple path traversal using backslashes in URLs. No authentication required if static files are publicly accessible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Vert.x 3.9.5 and 4.0.0.Beta4

Vendor Advisory: https://bugs.eclipse.org/bugs/show_bug.cgi?id=567416

Restart Required: Yes

Instructions:

1. Update Vert.x to version 3.9.5 or 4.0.0.Beta4 or later. 2. Update dependencies in your project configuration. 3. Rebuild and redeploy your application. 4. Restart the Vert.x instance.

🔧 Temporary Workarounds

Input Validation Filter

all

Add middleware to reject URLs containing backslashes before they reach StaticHandler

router.route().handler(ctx -> { if (ctx.request().path().contains("\\")) { ctx.fail(400); } else { ctx.next(); } });

Webroot Restriction

all

Configure StaticHandler with strict webroot and disable directory listing

StaticHandler.create().setWebRoot("webroot").setDirectoryListing(false);

🧯 If You Can't Patch

  • Migrate affected applications to Linux/Unix systems where this vulnerability does not exist
  • Implement strict file system permissions to limit what files the application user can access

🔍 How to Verify

Check if Vulnerable:

Check if running affected Vert.x version on Windows with StaticHandler enabled. Test by accessing a URL like http://host/..\..\file.txt

Check Version:

Check pom.xml or build.gradle for Vert.x version, or run: java -jar your-app.jar --version

Verify Fix Applied:

After patching, attempt the same path traversal with backslashes and verify access is denied

📡 Detection & Monitoring

Log Indicators:

  • HTTP 400/403 errors for paths containing backslashes
  • Unusual file access patterns from StaticHandler logs
  • Multiple failed attempts with path traversal patterns

Network Indicators:

  • HTTP requests containing backslashes in URLs
  • Patterns of ../ or ..\ in request paths
  • Unusual file extensions being requested

SIEM Query:

http.url:*\* OR http.url:*..\* status_code:200

📊 Metadata

CVE ID: CVE-2019-17640
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-23
Published: October 15, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-17640, you might also want to check these:

CVE-2024-24578 10.0

CVE-2024-24578 is an unauthenticated remote code execution vulnerability in RaspberryMatic/OCCU IoT ...

Same vulnerability type (CWE-23)
CVE-2023-3701 9.9

Aqua Drive version 2.4 has a relative path traversal vulnerability that allows authenticated users t...

Same vulnerability type (CWE-23)
CVE-2024-3025 9.9

This path traversal vulnerability in mintplex-labs/anything-llm allows attackers to read or delete f...

Same vulnerability type (CWE-23)