CVE-2021-43840

Name of the Vulnerable Software and Affected Versions: message bus versions prior to 3.3.7

Description: The issue is a path traversal bug that could lead to disclosure of secret information on a machine if an unintended user were to gain access to the diagnostic route. This bug affects deployments with diagnostics features enabled, which is default off. The impact is greater if there is no proxy for the web application, as the number of steps up the directories is not bounded. For deployments using a proxy, the impact varies. For example, if a request goes through a proxy like Nginx with merge slashes enabled, the number of steps up the directories that can be read is limited to 3 levels.

Recommendations: For versions prior to 3.3.7, update to version 3.3.7 to resolve the issue. As a temporary workaround, consider disabling MessageBus::Diagnostics in production-like environments until a patch is applied.