Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in micronaut-core
CVE-2021-32769

7.5HIGH

Key Information:

Vendor: Micronaut-projects
Status: Micronaut-core
Vendor: CVE Published:; 16 July 2021

🔔 Create Micronaut-projects Vulnerability Alert

What is CVE-2021-32769?

Micronaut is a JVM-based, full stack Java framework designed for building JVM applications. A path traversal vulnerability exists in versions prior to 2.5.9. With a basic configuration, it is possible to access any file from a filesystem, using "/../../" in the URL. This occurs because Micronaut does not restrict file access to configured paths. The vulnerability is patched in version 2.5.9. As a workaround, do not use ** in mapping, use only *, which exposes only flat structure of a directory not allowing traversal. If using Linux, another workaround is to run micronaut in chroot.

Affected Version(s)

micronaut-core < 2.5.9

References

https://github.com/micronaut-projects/micronaut-core/secu...

x_refsource_CONFIRM

https://github.com/micronaut-projects/micronaut-core/comm...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 16, 2021
Vulnerability Reserved
May 12, 2021

CVE-2021-32769 Data

JSON