CVE-2021-32769 - High Severity Vulnerability
Vulnerable Libraries - micronaut-core-2.0.0.jar, micronaut-inject-2.0.0.jar
micronaut-core-2.0.0.jar
Natively Cloud Native
Library home page: http://micronaut.io
Path to dependency file: /dd-java-agent/instrumentation/micronaut-http-server-netty-2/micronaut-http-server-netty-2.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.micronaut/micronaut-core/2.0.0/d3eaa045820cd59eca8508d5f8faa5187352d61e/micronaut-core-2.0.0.jar
Dependency Hierarchy:
- micronaut-inject-java-2.0.0.jar (Root Library)
- micronaut-inject-2.0.0.jar
- ❌ micronaut-core-2.0.0.jar (Vulnerable Library)
micronaut-inject-2.0.0.jar
Natively Cloud Native
Library home page: http://micronaut.io
Path to dependency file: /dd-java-agent/instrumentation/micronaut-http-server-netty-2/micronaut-http-server-netty-2.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.micronaut/micronaut-inject/2.0.0/7a4cedfaf78f6226a660e259e3ced7610b144ac0/micronaut-inject-2.0.0.jar
Dependency Hierarchy:
- micronaut-inject-java-2.0.0.jar (Root Library)
- ❌ micronaut-inject-2.0.0.jar (Vulnerable Library)
Found in HEAD commit: 2819174635979a19573ec0ce8e3e2b63a3848079
Found in base branch: master
Vulnerability Details
Micronaut is a JVM-based, full stack Java framework designed for building JVM applications. A path traversal vulnerability exists in versions prior to 2.5.9. With a basic configuration, it is possible to access any file from a filesystem, using "/../../" in the URL. This occurs because Micronaut does not restrict file access to configured paths. The vulnerability is patched in version 2.5.9. As a workaround, do not use ** in mapping, use only *, which exposes only flat structure of a directory not allowing traversal. If using Linux, another workaround is to run micronaut in chroot.
Publish Date: 2021-07-16
URL: CVE-2021-32769
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32769
Release Date: 2021-07-16
Fix Resolution (io.micronaut:micronaut-core): 2.5.9
Direct dependency fix Resolution (io.micronaut:micronaut-inject-java): 2.5.9
Fix Resolution (io.micronaut:micronaut-inject): 2.5.9
Direct dependency fix Resolution (io.micronaut:micronaut-inject-java): 2.5.9
⛑️ Automatic Remediation is available for this issue
CVE-2021-32769 - High Severity Vulnerability
micronaut-core-2.0.0.jar
Natively Cloud Native
Library home page: http://micronaut.io
Path to dependency file: /dd-java-agent/instrumentation/micronaut-http-server-netty-2/micronaut-http-server-netty-2.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.micronaut/micronaut-core/2.0.0/d3eaa045820cd59eca8508d5f8faa5187352d61e/micronaut-core-2.0.0.jar
Dependency Hierarchy:
micronaut-inject-2.0.0.jar
Natively Cloud Native
Library home page: http://micronaut.io
Path to dependency file: /dd-java-agent/instrumentation/micronaut-http-server-netty-2/micronaut-http-server-netty-2.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.micronaut/micronaut-inject/2.0.0/7a4cedfaf78f6226a660e259e3ced7610b144ac0/micronaut-inject-2.0.0.jar
Dependency Hierarchy:
Found in HEAD commit: 2819174635979a19573ec0ce8e3e2b63a3848079
Found in base branch: master
Micronaut is a JVM-based, full stack Java framework designed for building JVM applications. A path traversal vulnerability exists in versions prior to 2.5.9. With a basic configuration, it is possible to access any file from a filesystem, using "/../../" in the URL. This occurs because Micronaut does not restrict file access to configured paths. The vulnerability is patched in version 2.5.9. As a workaround, do not use
**in mapping, use only*, which exposes only flat structure of a directory not allowing traversal. If using Linux, another workaround is to run micronaut in chroot.Publish Date: 2021-07-16
URL: CVE-2021-32769
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32769
Release Date: 2021-07-16
Fix Resolution (io.micronaut:micronaut-core): 2.5.9
Direct dependency fix Resolution (io.micronaut:micronaut-inject-java): 2.5.9
Fix Resolution (io.micronaut:micronaut-inject): 2.5.9
Direct dependency fix Resolution (io.micronaut:micronaut-inject-java): 2.5.9
⛑️ Automatic Remediation is available for this issue