eu.hinsch:spring-boot-actuator-logview@0.2.5 vulnerabilities

latest version

0.2.13
first published

9 years ago
latest version published

3 years ago
licenses detected
- MIT
  [0.1.0,)
package manager

View on Maven Repository

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the eu.hinsch:spring-boot-actuator-logview package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
L Directory Traversal Affected versions of this package are vulnerable to Directory Traversal due to an incomplete fix for CVE-2021-21234. This allows a privileged user to access sibling directories whose name starts with the same string as the intended directory - a limited subset of the directories vulnerable to exposure in the former vulnerability - via `LogViewEndpoint.view`. How to fix Directory Traversal? There is no fixed version for `eu.hinsch:spring-boot-actuator-logview`.	[0,)
M Directory Traversal Affected versions of this package are vulnerable to Directory Traversal. The nature of this library is to expose a log file directory via admin (spring boot actuator) HTTP endpoints. Both the filename to view and a base folder (relative to the logging folder root) can be specified via request parameters. While the filename parameter was checked to prevent directory traversal exploits (so that `filename=../somefile` would not work), the base folder parameter was not sufficiently checked, so that `filename=somefile&base=../` could access a file outside the logging base directory). How to fix Directory Traversal? Upgrade `eu.hinsch:spring-boot-actuator-logview` to version 0.2.13 or higher.	[,0.2.13)

Directory Traversal

Affected versions of this package are vulnerable to Directory Traversal due to an incomplete fix for CVE-2021-21234. This allows a privileged user to access sibling directories whose name starts with the same string as the intended directory - a limited subset of the directories vulnerable to exposure in the former vulnerability - via LogViewEndpoint.view.

How to fix Directory Traversal?

There is no fixed version for eu.hinsch:spring-boot-actuator-logview.

[0,)

Directory Traversal

Affected versions of this package are vulnerable to Directory Traversal. The nature of this library is to expose a log file directory via admin (spring boot actuator) HTTP endpoints. Both the filename to view and a base folder (relative to the logging folder root) can be specified via request parameters. While the filename parameter was checked to prevent directory traversal exploits (so that filename=../somefile would not work), the base folder parameter was not sufficiently checked, so that filename=somefile&base=../ could access a file outside the logging base directory).

How to fix Directory Traversal?

Upgrade eu.hinsch:spring-boot-actuator-logview to version 0.2.13 or higher.

[,0.2.13)

Go back to all versions of this package

eu.hinsch:spring-boot-actuator-logview@0.2.5 vulnerabilities

latest version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities