CVE-2021-21234 Overview
CVE-2021-21234 is a directory traversal vulnerability affecting spring-boot-actuator-logview, a library that adds a simple logfile viewer as a Spring Boot actuator endpoint (maven package eu.hinsch:spring-boot-actuator-logview). The vulnerability exists in versions prior to 0.2.13 and allows authenticated attackers to access files outside the intended logging directory through improper validation of the base parameter.
The library exposes a log file directory via admin (Spring Boot actuator) HTTP endpoints, where both the filename and a base folder (relative to the logging folder root) can be specified via request parameters. While the filename parameter was properly validated to prevent directory traversal exploits (so that filename=../somefile would not work), the base folder parameter lacked sufficient validation. This oversight allows attackers to craft requests such as filename=somefile&base=../ to access files outside the logging base directory.
Critical Impact
Authenticated attackers can read sensitive files outside the designated logging directory, potentially exposing configuration files, credentials, source code, and other confidential data accessible by the application's runtime user.
Affected Products
- spring-boot-actuator-logview versions prior to 0.2.13
- Maven package eu.hinsch:spring-boot-actuator-logview
- Spring Boot applications using the affected logview actuator endpoint
Discovery Timeline
- January 5, 2021 - CVE-2021-21234 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-21234
Vulnerability Analysis
This directory traversal vulnerability (CWE-22) occurs due to insufficient input validation of the base request parameter in the logview endpoint. The vulnerability allows network-based exploitation by authenticated users, requiring no user interaction. The scope of the vulnerability is changed, meaning a successful exploit can affect resources beyond the vulnerable component's security scope, enabling high-impact confidentiality breaches through unauthorized file access.
The library's design allows administrators to view log files through HTTP endpoints. The endpoint accepts two key parameters: filename to specify which log file to view, and base to specify a subdirectory within the logging root. The developers implemented path traversal protection for the filename parameter but overlooked applying the same security controls to the base parameter.
Root Cause
The root cause of this vulnerability lies in inconsistent input validation between the filename and base parameters. The securityCheck() function was called with only the base parameter before resolving the full path, which did not properly validate whether the resulting path would escape the logging directory boundaries. The fix changes the order of operations to first resolve the currentFolder path using loggingPath(base) and then pass the resolved path to the securityCheck() function for proper validation.
Attack Vector
The attack vector is network-based, requiring the attacker to have low-privilege authenticated access to the Spring Boot actuator endpoints. An attacker can manipulate the base parameter in HTTP requests to traverse directories and access arbitrary files readable by the application's runtime user. For example, a malicious request could use base=../../../etc combined with a valid filename to read system configuration files or base=../../../home/user/.ssh to access SSH keys.
// Vulnerable code pattern (before fix)
// Security check was performed on 'base' parameter before path resolution
securityCheck(base);
Path currentFolder = loggingPath(base);
// Fixed code pattern (after patch)
// Path is resolved first, then security check validates the full path
Path currentFolder = loggingPath(base);
securityCheck(currentFolder, null);
Source: GitHub Commit
Detection Methods for CVE-2021-21234
Indicators of Compromise
- HTTP requests to actuator logview endpoints containing ../ sequences in the base parameter
- Access logs showing repeated requests to /actuator/logview with varying directory traversal patterns
- Unusual file access patterns from the Java application process outside the logging directory
- Error logs indicating file access attempts to restricted directories
Detection Strategies
- Monitor web application logs for requests containing path traversal sequences (../, ..%2F, %2e%2e/) in query parameters
- Implement Web Application Firewall (WAF) rules to detect and block directory traversal attempts
- Configure intrusion detection systems to alert on anomalous file access patterns from the application server
- Audit Maven dependencies using software composition analysis tools to identify vulnerable versions of eu.hinsch:spring-boot-actuator-logview
Monitoring Recommendations
- Enable detailed access logging for all Spring Boot actuator endpoints
- Implement file integrity monitoring on sensitive configuration files and directories
- Set up alerts for HTTP requests to actuator endpoints containing encoded or plain directory traversal characters
- Monitor application process file access using endpoint detection and response (EDR) solutions
How to Mitigate CVE-2021-21234
Immediate Actions Required
- Update spring-boot-actuator-logview to version 0.2.13 or later immediately
- Review access logs for evidence of exploitation attempts using directory traversal patterns
- Restrict file system read permissions for the application runtime user to only essential directories
- Implement network-level access controls to limit actuator endpoint exposure
Patch Information
The vulnerability has been patched in release 0.2.13. Users of version 0.2.12 should be able to update without issues as there are no other breaking changes in that release. The fix modifies the LogViewEndpoint.java file to properly validate the resolved path rather than the raw base parameter. The security patches are available in the following commits:
For more information, see the GitHub Security Advisory and the Maven Artifact Repository.
Workarounds
- Remove read access of the application runtime user to any directory not required for running the application to limit potential impact
- Deploy the application behind a reverse proxy and restrict access to the logview actuator endpoint to trusted networks only
- Disable or remove the logview actuator endpoint if not actively required for operations
- Implement additional WAF rules to block requests with directory traversal patterns targeting actuator endpoints
# Example: Restrict file permissions for application user
# Limit the application user's read access to essential directories only
chmod 750 /var/log/application
chown appuser:appgroup /var/log/application
# Example nginx reverse proxy configuration to restrict actuator access
# Add to server block to limit actuator endpoints to internal networks
location /actuator/ {
allow 10.0.0.0/8;
allow 192.168.0.0/16;
deny all;
proxy_pass http://backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
