CVE-2021-21234 – This CVE describes a directory traversal vulner... (How to Fix)

Q: What is the severity of CVE-2021-21234?

CVE-2021-21234 has a CVSS score of 7.7 (HIGH). This CVE describes a directory traversal vulnerability in spring-boot-actuator-logview library versions before 0.2.13. Attackers can exploit insufficient validation of the 'base' parameter to read arbitrary files outside the intended log directory. Any application using vulnerable versions of this library with the logview endpoint exposed is affected.

📋 TL;DR

This CVE describes a directory traversal vulnerability in spring-boot-actuator-logview library versions before 0.2.13. Attackers can exploit insufficient validation of the 'base' parameter to read arbitrary files outside the intended log directory. Any application using vulnerable versions of this library with the logview endpoint exposed is affected.

💻 Affected Systems

Products:

spring-boot-actuator-logview

Versions: All versions before 0.2.13

Operating Systems: All operating systems running Java applications

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications that have the logview actuator endpoint enabled and accessible. The vulnerability exists regardless of authentication if the endpoint is reachable.

📦 What is this software?

Spring Boot Actuator Logview by Spring Boot Actuator Logview Project

View all CVEs affecting Spring Boot Actuator Logview →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via reading sensitive files like /etc/passwd, SSH keys, configuration files with secrets, or database credentials, potentially leading to lateral movement and data exfiltration.

🟠

Likely Case

Unauthorized reading of application configuration files, source code, or other sensitive files in directories accessible to the application user, potentially exposing credentials and business logic.

🟢

If Mitigated

Limited file read access restricted to non-sensitive directories if proper file permissions and network controls are implemented.

🌐 Internet-Facing: HIGH - Directly exposed actuator endpoints with this vulnerability allow remote attackers to read arbitrary files without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this to escalate privileges or access sensitive data.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP requests with crafted parameters. Public proof-of-concept code and detailed advisory are available in the GitHub security advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.2.13

Vendor Advisory: https://github.com/lukashinsch/spring-boot-actuator-logview/security/advisories/GHSA-p4q6-qxjx-8jgp

Restart Required: Yes

Instructions:

1. Update Maven dependency to version 0.2.13 or later in pom.xml. 2. Run 'mvn clean install' to rebuild. 3. Redeploy the application. 4. Restart the application server.

🔧 Temporary Workarounds

Disable logview endpoint

all

Remove or disable the spring-boot-actuator-logview endpoint in application configuration

Remove 'eu.hinsch:spring-boot-actuator-logview' dependency from pom.xml
Set 'management.endpoint.logview.enabled=false' in application.properties

Reverse proxy access control

all

Configure reverse proxy to block access to /actuator/logview endpoint

nginx: location ~ ^/actuator/logview { deny all; }
Apache: <Location /actuator/logview> Require all denied </Location>

🧯 If You Can't Patch

Restrict file system permissions for the application user to read-only access for required directories only
Implement network segmentation to limit access to actuator endpoints to trusted networks only

🔍 How to Verify

Check if Vulnerable:

Check pom.xml or build.gradle for dependency 'eu.hinsch:spring-boot-actuator-logview' with version < 0.2.13

Check Version:

mvn dependency:tree | grep spring-boot-actuator-logview OR gradle dependencies | grep spring-boot-actuator-logview

Verify Fix Applied:

Verify dependency version is 0.2.13 or higher and test that directory traversal attempts with base=../ parameter return error

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /actuator/logview with 'base' parameter containing '..' or '../' sequences
File access errors for unexpected paths in application logs

Network Indicators:

HTTP GET requests to actuator/logview endpoint with unusual parameter combinations
Traffic patterns showing attempts to access parent directories

SIEM Query:

http.url:"/actuator/logview" AND (http.param.base:".." OR http.param.base:"../")

📊 Metadata

CVE ID: CVE-2021-21234

CVSS v3 Score: 7.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CWE: CWE-22

Published: January 5, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/lukashinsch/spring-boot-actuator-logview/commit/1c76e1ec3588c9f39e1a94bf27b5ff56eb8b17d6 Patch,Third Party Advisory
https://github.com/lukashinsch/spring-boot-actuator-logview/commit/760acbb939a8d1f7d1a7dfcd51ca848eea04e772 Patch,Third Party Advisory
https://github.com/lukashinsch/spring-boot-actuator-logview/security/advisories/GHSA-p4q6-qxjx-8jgp Third Party Advisory
https://search.maven.org/artifact/eu.hinsch/spring-boot-actuator-logview Third Party Advisory
https://github.com/lukashinsch/spring-boot-actuator-logview/commit/1c76e1ec3588c9f39e1a94bf27b5ff56eb8b17d6 Patch,Third Party Advisory
https://github.com/lukashinsch/spring-boot-actuator-logview/commit/760acbb939a8d1f7d1a7dfcd51ca848eea04e772 Patch,Third Party Advisory
https://github.com/lukashinsch/spring-boot-actuator-logview/security/advisories/GHSA-p4q6-qxjx-8jgp Third Party Advisory
https://search.maven.org/artifact/eu.hinsch/spring-boot-actuator-logview Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21234, you might also want to check these: