CVE-2021-21234

Name of the Vulnerable Software and Affected Versions: spring-boot-actuator-logview versions prior to 0.2.13

Description: The issue concerns a directory traversal vulnerability in the spring-boot-actuator-logview library, which exposes a log file directory via admin HTTP endpoints. Both the filename to view and a base folder (relative to the logging folder root) can be specified via request parameters. While the filename parameter was checked to prevent directory traversal exploits, the base folder parameter was not sufficiently checked, allowing access to files outside the logging base directory. For example, specifying filename=somefile&base=../ could access a file outside the intended directory.

Recommendations: For versions prior to 0.2.13, update to version 0.2.13 or later to resolve the issue. As a temporary mitigation measure, consider removing read access of the user the application is run with to any directory not required for running the application to limit the impact. Additionally, access to the logview endpoint can be limited by deploying the application behind a reverse proxy.