A vulnerability has been identified in the Grails web framework, designed for developing web applications in accordance with the MVC paradigm in Java, Groovy and other languages for the JVM, that allows you to remotely execute your code in the environment in which the web application is running. The vulnerability is exploited by sending a specially designed request that provides the attacker with access to the ClassLoader. The problem is caused by a flaw in the data-binding logic, which is used both when creating objects and when manually binding using bindData. The issue has been fixed in releases 3.3.15, 4.1.1, 5.1.9 and 5.2.1.
Additionally, we can note a vulnerability in the tzinfo Ruby module, which allows loading the contents of any file, as far as the access rights of the attacked application allow. The vulnerability is related to the lack of proper check for the use of special characters in the time zone name specified in the TZInfo::Timezone.get method. The issue affects applications that pass unvalidated external data to TZInfo::Timezone.get. For example, to read the file /tmp/payload, you can specify a value like "foo\n/../../../tmp/payload".
Source: opennet.ru