CVE - CVE-2021-43795

CVE-ID
CVE-2021-43795	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Armeria is an open source microservice framework. In affected versions an attacker can access an Armeria server's local file system beyond its restricted directory by sending an HTTP request whose path contains `%2F` (encoded `/`), such as `/files/..%2Fsecrets.txt`, bypassing Armeria's path validation logic. Armeria 1.13.4 or above contains the hardened path validation logic that handles `%2F` properly. This vulnerability can be worked around by inserting a decorator that performs an additional validation on the request path.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
CONFIRM:https://github.com/line/armeria/security/advisories/GHSA-8fp4-rp6c-5gcv URL:https://github.com/line/armeria/security/advisories/GHSA-8fp4-rp6c-5gcv MISC:https://github.com/line/armeria/commit/e2697a575e9df6692b423e02d731f293c1313284 URL:https://github.com/line/armeria/commit/e2697a575e9df6692b423e02d731f293c1313284 MISC:https://github.com/line/armeria/pull/3855 URL:https://github.com/line/armeria/pull/3855
Assigning CNA
GitHub (maintainer security advisories)
Date Record Created
20211116	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20211116)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)