CVE-2021-43795

Name of the Vulnerable Software and Affected Versions: Armeria versions prior to 1.13.4

Description: An attacker can access an Armeria server's local file system beyond its restricted directory by sending an HTTP request whose path contains %2F (encoded /), such as /files/..%2Fsecrets.txt, bypassing Armeria's path validation logic.

Recommendations: For versions prior to 1.13.4, update to Armeria 1.13.4 or above, which contains the hardened path validation logic that handles %2F properly. As a temporary workaround, consider inserting a decorator that performs an additional validation on the request path, such as checking if the path contains %2f or %2F and returning a BAD REQUEST response if it does.