Description
spring-boot-actuator-logview is a library that exposes a log file directory via admin (spring boot actuator) HTTP endpoints. Both the filename to view and a base folder (relative to the logging folder root) can be specified via request parameters. While the filename parameter was checked to prevent directory traversal exploits (so that filename=../somefile would not work), the base folder parameter was not sufficiently checked, so that filename=somefile&base=../ could access a file outside the logging base directory).
Remediation
The vulnerability has been patched in release 0.2.13. Any users of 0.2.12 should be able to update without any issues as there are no other changes in that release.
References
Related Vulnerabilities
WordPress Plugin Ad Inserter-Ad Manager & AdSense Ads Directory Traversal (2.4.19)
WordPress Plugin WordPress File Upload Directory Traversal (4.12.2)
Laravel log viewer local file download (LFD)
WordPress Plugin WordPress Infinite Scroll-Ajax Load More Multiple Vulnerabilities (5.5.3)
WordPress Plugin Wholesale Market for WooCommerce Directory Traversal (1.0.8)