CVE-2021-43795 – CVE-2021-43795 is a path traversal vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2021-43795?

CVE-2021-43795 has a CVSS score of 7.5 (HIGH). CVE-2021-43795 is a path traversal vulnerability in Armeria microservice framework that allows attackers to bypass directory restrictions using URL-encoded slashes (%2F). This enables unauthorized access to files outside the intended directory. Affected systems are those running vulnerable Armeria versions with file serving functionality exposed.

📋 TL;DR

CVE-2021-43795 is a path traversal vulnerability in Armeria microservice framework that allows attackers to bypass directory restrictions using URL-encoded slashes (%2F). This enables unauthorized access to files outside the intended directory. Affected systems are those running vulnerable Armeria versions with file serving functionality exposed.

💻 Affected Systems

Products:

Armeria

Versions: Versions below 1.13.4

Operating Systems: All platforms running Armeria

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Armeria instances with file serving functionality enabled. The vulnerability exists in the path validation logic.

📦 What is this software?

Armeria by Linecorp

View all CVEs affecting Armeria →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server file system compromise leading to sensitive data exposure, credential theft, and potential lateral movement within the infrastructure.

🟠

Likely Case

Unauthorized access to configuration files, application source code, or sensitive data stored on the server filesystem.

🟢

If Mitigated

No file access beyond intended directories; requests with %2F are properly rejected or sanitized.

🌐 Internet-Facing: HIGH - Exploitation requires only HTTP requests and can be performed remotely without authentication.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit this, but network segmentation reduces exposure.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward using standard HTTP clients. The advisory includes example exploit paths.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.13.4 and above

Vendor Advisory: https://github.com/line/armeria/security/advisories/GHSA-8fp4-rp6c-5gcv

Restart Required: Yes

Instructions:

1. Update Armeria dependency to version 1.13.4 or higher. 2. Rebuild and redeploy the application. 3. Restart the Armeria server.

🔧 Temporary Workarounds

Path validation decorator

all

Implement a custom decorator that performs additional path validation to reject requests containing %2F or other encoded path traversal sequences.

Implement decorator as shown in GitHub advisory: https://github.com/line/armeria/security/advisories/GHSA-8fp4-rp6c-5gcv

🧯 If You Can't Patch

Implement network-level controls to restrict access to Armeria file serving endpoints
Deploy WAF rules to block requests containing %2F in paths to file endpoints

🔍 How to Verify

Check if Vulnerable:

Check if Armeria version is below 1.13.4 and file serving is enabled. Test by sending HTTP request with path containing %2F (e.g., GET /files/..%2Fetc/passwd).

Check Version:

Check build.gradle or pom.xml for Armeria dependency version, or check server startup logs for version information.

Verify Fix Applied:

After patching, test that requests with %2F in paths are properly rejected or sanitized. Verify Armeria version is 1.13.4 or higher.

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing %2F in paths to file endpoints
Unusual file access patterns from single IPs
404 errors for attempted directory traversal

Network Indicators:

HTTP requests with encoded slashes in URL paths
Multiple rapid requests with varying %2F patterns

SIEM Query:

http.url:*%2F* AND (http.path:*files* OR http.path:*static*)

📊 Metadata

CVE ID: CVE-2021-43795

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

Published: December 2, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/line/armeria/commit/e2697a575e9df6692b423e02d731f293c1313284 Patch,Third Party Advisory
https://github.com/line/armeria/pull/3855 Third Party Advisory
https://github.com/line/armeria/security/advisories/GHSA-8fp4-rp6c-5gcv Third Party Advisory
https://github.com/line/armeria/commit/e2697a575e9df6692b423e02d731f293c1313284 Patch,Third Party Advisory
https://github.com/line/armeria/pull/3855 Third Party Advisory
https://github.com/line/armeria/security/advisories/GHSA-8fp4-rp6c-5gcv Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43795, you might also want to check these: