CVE-2021-43795 – com.linecorp.armeria:armeria

Package

Manager: maven
Name: com.linecorp.armeria:armeria
Vulnerable Version: >=0 <1.13.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00754 pctl0.72308

Details

Path Traversal in com.linecorp.armeria:armeria ### Impact An attacker can access an Armeria server's local file system beyond its restricted directory by sending an HTTP request whose path contains `%2F` (encoded `/`), such as `/files/..%2Fsecrets.txt`, bypassing Armeria's path validation logic. ### Patches Armeria 1.13.4 or above contains the hardened path validation logic that handles `%2F` properly. ### Workarounds This vulnerability can be worked around by inserting a decorator that performs an additional validation on the request path, e.g. ```java Server .builder() .serviceUnder( "/files", FileService .of(...) .decorate((delegate, ctx, req) -> { String path = req.headers().path(); if (path.contains("%2f") || path.contains("%2F")) { return HttpResponse.of(HttpStatus.BAD_REQUEST); } return delegate.serve(ctx, req); }) ) .build() ``` ### For more information If you have any questions or comments about this advisory: * Open an issue in [line/armeria](https://github.com/line/armeria) * Chat with us at [Slack](https://armeria.dev/s/slack) ### Credits This vulnerability was originally reported by Abdallah Zaher ([elcayser-0x0a](https://hackerone.com/elcayser-0x0a?type=user)).

Metadata

Created: 2021-12-02T22:25:54Z
Modified: 2021-12-02T21:28:29Z
Source: MANUAL
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-8fp4-rp6c-5gcv
Finding: F063
Auto approve: 1