Description
spring-boot-actuator-logview is a library that exposes a log file directory via admin (spring boot actuator) HTTP endpoints. Both the filename to view and a base folder (relative to the logging folder root) can be specified via request parameters. While the filename parameter was checked to prevent directory traversal exploits (so that filename=../somefile would not work), the base folder parameter was not sufficiently checked, so that filename=somefile&base=../ could access a file outside the logging base directory).
Remediation
The vulnerability has been patched in release 0.2.13. Any users of 0.2.12 should be able to update without any issues as there are no other changes in that release.
References
Related Vulnerabilities
WordPress Plugin BP Group Documents Multiple Vulnerabilities (1.2.1)
AjaxControlToolkit directory traversal
WordPress Plugin WPS Child Theme Generator Directory Traversal (1.1)
WordPress Plugin GraceMedia Media Player Local File Inclusion (1.0)
WordPress Plugin Nelio AB Testing Directory Traversal (4.4.4)