CVE-2021-43795
Path Traversal in com.linecorp.armeria:armeria
Description
### Impact An attacker can access an Armeria server's local file system beyond its restricted directory by sending an HTTP request whose path contains `%2F` (encoded `/`), such as `/files/..%2Fsecrets.txt`, bypassing Armeria's path validation logic. ### Patches Armeria 1.13.4 or above contains the hardened path validation logic that handles `%2F` properly. ### Workarounds This vulnerability can be worked around by inserting a decorator that performs an additional validation on the request path, e.g. ```java Server .builder() .serviceUnder( "/files", FileService .of(...) .decorate((delegate, ctx, req) -> { String path = req.headers().path(); if (path.contains("%2f") || path.contains("%2F")) { return HttpResponse.of(HttpStatus.BAD_REQUEST); } return delegate.serve(ctx, req); }) ) .build() ``` ### For more information If you have any questions or comments about this advisory: * Open an issue in [line/armeria](https://github.com/line/armeria) * Chat with us at [Slack](https://armeria.dev/s/slack) ### Credits This vulnerability was originally reported by Abdallah Zaher ([elcayser-0x0a](https://hackerone.com/elcayser-0x0a?type=user)).
How to fix CVE-2021-43795
To remediate CVE-2021-43795, upgrade the affected package to a fixed version below.
- —upgrade to 1.13.4 or later
Is CVE-2021-43795 being exploited?
Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 1.12.0, < 1.13.4