spring-boot-actuator-logview is a library that exposes a log file directory via admin (spring boot actuator) HTTP endpoints. Both the filename to view and a base folder (relative to the logging folder root) can be specified via request parameters. While the filename parameter was checked to prevent directory traversal exploits (so that filename=../somefile would not work), the base folder parameter was not sufficiently checked, so that filename=somefile&base=../ could access a file outside the logging base directory).


The vulnerability has been patched in release 0.2.13. Any users of 0.2.12 should be able to update without any issues as there are no other changes in that release.


Related Vulnerabilities