Eclipse Vert.x StaticHandler Access Control Vulnerability in Hidden File Protection

A vulnerability exists in Eclipse Vert.x versions 4.0.0 prior to 4.5.21 and 5.0.0 prior to 5.0.4. The issue arises in the StaticHandler component, where the configuration intended to block access to hidden files does not effectively restrict access to hidden directories. This flaw allows unauthorized users to access files within these directories, such as '.git/config', potentially leading to the exposure of sensitive information.

Impact

Exploitation of this vulnerability could result in unauthorized access to files in hidden directories, such as Git configuration files, environment variable files, AWS credentials, SSH trust information, or Docker registry credentials.

Reproduction

To reproduce this vulnerability, set up a Vert.x application with the StaticHandler configured to exclude hidden files. After deploying the application, attempt to access files within hidden directories, such as '.git', which should be blocked under normal circumstances. The vulnerability can be confirmed if the files are accessible despite the hidden file exclusion setting.

Remediation

Users can upgrade to Eclipse Vert.x versions 4.5.22 or 5.0.5, both of which address this vulnerability.