Login Sign Up

CVE-2021-32769

7.5 HIGH
Authentication Bypass Path Traversal

📋 TL;DR

This CVE describes a path traversal vulnerability in Micronaut framework versions prior to 2.5.9. Attackers can access arbitrary files on the filesystem by using directory traversal sequences like '/../../' in URLs. This affects all Micronaut applications with basic file-serving configurations.

💻 Affected Systems

Products:
  • Micronaut Framework
Versions: All versions prior to 2.5.9
Operating Systems: All operating systems running Java
Default Config Vulnerable: ⚠️ Yes
Notes: Requires file-serving configuration with path mapping, but basic configurations are vulnerable.

📦 What is this software?

Micronaut by Objectcomputing

View all CVEs affecting Micronaut →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through reading sensitive files like /etc/passwd, SSH keys, database credentials, or application configuration files containing secrets.

🟠

Likely Case

Exfiltration of sensitive configuration files, source code, or credentials leading to data breach or further system compromise.

🟢

If Mitigated

Limited to accessing only files within the intended directory structure with proper path validation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple HTTP requests with path traversal sequences can exploit this vulnerability without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.5.9

Vendor Advisory: https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-cjx7-399x-p2rj

Restart Required: Yes

Instructions:

1. Update Micronaut dependency to version 2.5.9 or later in build.gradle or pom.xml. 2. Rebuild and redeploy the application. 3. Restart the application server.

🔧 Temporary Workarounds

Restrict path mapping

all

Change file-serving configuration from '**' to '*' to only expose flat directory structure

Modify configuration to use single asterisk pattern instead of double asterisk for file mappings

Chroot isolation

linux

Run Micronaut application in chroot jail on Linux systems

chroot /path/to/chroot/jail java -jar application.jar

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block path traversal patterns
  • Restrict file-serving functionality entirely or move to dedicated file server

🔍 How to Verify

Check if Vulnerable:

Check if application serves files and test with URL containing '/../../etc/passwd' or similar traversal sequences

Check Version:

Check build.gradle or pom.xml for micronaut-core version, or run: java -jar app.jar --version

Verify Fix Applied:

After patching, test that path traversal attempts return 404 or proper error instead of file contents

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests containing '/../' patterns
  • Unusual file access patterns from web endpoints
  • 404 errors for traversal attempts after patching

Network Indicators:

  • HTTP requests with multiple directory traversal sequences in URL path

SIEM Query:

web.url:*../..* AND (response.status:200 OR response.size>0)

📊 Metadata

CVE ID: CVE-2021-32769
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-22
Published: July 16, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-32769, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)