Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04ZnA0LXJwNmMtNWdjds0Y7g
Path Traversal in com.linecorp.armeria:armeria
Impact
An attacker can access an Armeria server's local file system beyond its restricted directory by sending an HTTP request whose path contains %2F (encoded /), such as /files/..%2Fsecrets.txt, bypassing Armeria's path validation logic.
Patches
Armeria 1.13.4 or above contains the hardened path validation logic that handles %2F properly.
Workarounds
This vulnerability can be worked around by inserting a decorator that performs an additional validation on the request path, e.g.
Server
.builder()
.serviceUnder(
"/files",
FileService
.of(...)
.decorate((delegate, ctx, req) -> {
String path = req.headers().path();
if (path.contains("%2f") || path.contains("%2F")) {
return HttpResponse.of(HttpStatus.BAD_REQUEST);
}
return delegate.serve(ctx, req);
})
)
.build()
For more information
If you have any questions or comments about this advisory:
- Open an issue in line/armeria
- Chat with us at Slack
Credits
This vulnerability was originally reported by Abdallah Zaher (elcayser-0x0a).
Permalink: https://github.com/advisories/GHSA-8fp4-rp6c-5gcvJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04ZnA0LXJwNmMtNWdjds0Y7g
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-8fp4-rp6c-5gcv, CVE-2021-43795
References:
- https://github.com/line/armeria/security/advisories/GHSA-8fp4-rp6c-5gcv
- https://github.com/line/armeria/pull/3855
- https://github.com/line/armeria/commit/e2697a575e9df6692b423e02d731f293c1313284
- https://nvd.nist.gov/vuln/detail/CVE-2021-43795
- https://github.com/advisories/GHSA-8fp4-rp6c-5gcv
Blast Radius: 18.0
Affected Packages
maven:com.linecorp.armeria:armeria
Dependent packages: 160Dependent repositories: 253
Downloads:
Affected Version Ranges: >= 1.12.0, < 1.13.4
Fixed in: 1.13.4
All affected versions: 1.12.0, 1.13.0, 1.13.1, 1.13.2, 1.13.3
All unaffected versions: 0.32.0, 0.33.0, 0.33.1, 0.34.0, 0.34.1, 0.35.0, 0.35.1, 0.35.2, 0.36.0, 0.37.0, 0.38.0, 0.39.0, 0.40.0, 0.41.0, 0.42.0, 0.43.0, 0.44.0, 0.45.0, 0.46.0, 0.46.1, 0.46.2, 0.46.3, 0.46.4, 0.47.0, 0.48.0, 0.49.0, 0.50.0, 0.51.0, 0.52.0, 0.52.1, 0.53.0, 0.53.1, 0.53.2, 0.54.0, 0.54.1, 0.54.2, 0.55.0, 0.55.1, 0.56.0, 0.56.1, 0.57.0, 0.58.0, 0.58.1, 0.59.0, 0.59.1, 0.59.2, 0.60.0, 0.61.0, 0.62.0, 0.63.0, 0.63.1, 0.64.0, 0.65.0, 0.65.1, 0.66.0, 0.67.0, 0.67.1, 0.67.2, 0.68.0, 0.68.1, 0.68.2, 0.69.0, 0.70.0, 0.70.1, 0.71.0, 0.71.1, 0.72.0, 0.73.0, 0.74.0, 0.74.1, 0.75.0, 0.76.0, 0.76.1, 0.76.2, 0.77.0, 0.78.0, 0.78.1, 0.78.2, 0.79.0, 0.80.0, 0.81.0, 0.81.1, 0.82.0, 0.83.0, 0.84.0, 0.85.0, 0.86.0, 0.87.0, 0.88.0, 0.89.0, 0.89.1, 0.90.0, 0.90.1, 0.90.2, 0.90.3, 0.91.0, 0.92.0, 0.93.0, 0.94.0, 0.95.0, 0.96.0, 0.97.0, 0.98.0, 0.98.1, 0.98.2, 0.98.3, 0.98.4, 0.98.5, 0.98.6, 0.98.7, 0.99.0, 0.99.1, 0.99.2, 0.99.3, 0.99.4, 0.99.5, 0.99.6, 0.99.7, 0.99.8, 0.99.9, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.7.1, 1.7.2, 1.8.0, 1.9.0, 1.9.1, 1.9.2, 1.10.0, 1.11.0, 1.13.4, 1.14.0, 1.14.1, 1.15.0, 1.16.0, 1.16.1, 1.16.2, 1.16.3, 1.17.0, 1.17.1, 1.17.2, 1.18.0, 1.19.0, 1.20.0, 1.20.1, 1.20.2, 1.20.3, 1.21.0, 1.22.0, 1.22.1, 1.23.0, 1.23.1, 1.24.0, 1.24.1, 1.24.2, 1.24.3, 1.25.0, 1.25.1, 1.25.2, 1.26.0, 1.26.1, 1.26.2, 1.26.3, 1.26.4, 1.27.0, 1.27.1, 1.27.2, 1.27.3, 1.28.0, 1.28.1