CVE-2021-32769
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-32769
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-32769.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2021-32769
- Aliases
- Related
- Published
- 2021-07-16T19:15:07.893Z
- Modified
- 2025-11-14T11:56:34.441577Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Micronaut is a JVM-based, full stack Java framework designed for building JVM applications. A path traversal vulnerability exists in versions prior to 2.5.9. With a basic configuration, it is possible to access any file from a filesystem, using "/../../" in the URL. This occurs because Micronaut does not restrict file access to configured paths. The vulnerability is patched in version 2.5.9. As a workaround, do not use
**in mapping, use only*, which exposes only flat structure of a directory not allowing traversal. If using Linux, another workaround is to run micronaut in chroot. - References
Affected packages
Git / github.com/micronaut-projects/micronaut-core
Affected ranges
- Type
- GIT
- Repo
- https://github.com/micronaut-projects/micronaut-core
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v1.*
v1.0.0
v1.0.0.M1
v1.0.0.M2
v1.0.0.M3
v1.0.0.M4
v1.0.0.RC1
v1.0.0.RC2
v1.0.0.RC3
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.1.0
v1.1.0.M1
v1.1.0.M2
v1.1.0.RC1
v1.1.0.RC2
v1.1.1
v1.1.2
v1.1.3
v1.1.4
v1.2.0
v1.2.0.RC1
v1.2.0.RC2
v1.2.1
v1.2.10
v1.2.11
v1.2.2
v1.2.3
v1.2.4
v1.2.5
v1.2.6
v1.2.7
v1.2.8
v1.2.9
v1.3.0
v1.3.0.M1
v1.3.0.M2
v1.3.0.RC1
v1.3.0.TEST
v1.3.1
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v2.*
v2.0.0
v2.0.0.M1
v2.0.0.M2
v2.0.0.M3
v2.0.0.RC1
v2.0.0.RC2
v2.0.1
v2.0.2
v2.0.3
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.3.4
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.5.0
v2.5.1
v2.5.2
v2.5.3
v2.5.4
v2.5.5
v2.5.6
v2.5.7
v2.5.8
Database specific
vanir_signatures
[
{
"digest": {
"length": 224.0,
"function_hash": "168296928503248447492188345111810913179"
},
"target": {
"file": "core/src/main/java/io/micronaut/core/io/scan/DefaultClassPathResourceLoader.java",
"function": "getResource"
},
"source": "https://github.com/micronaut-projects/micronaut-core/commit/a0cfeb13bf1ef5d692d16d4a3b91b34b7456bb11",
"id": "CVE-2021-32769-1864d54c",
"signature_version": "v1",
"signature_type": "Function",
"deprecated": false
},
{
"digest": {
"line_hashes": [
"267908196509186046248547599640846942614",
"168899291585172574884690192543247427591",
"275828188480902142504912868921286554336",
"69779632675163598369020110679238493511",
"332986745720066813555499390414430083181",
"332849096561619383370064256575384309998",
"246462523138713261349135191326131581164",
"189843453632746315791067843014976725682",
"295948846967546773930409994719099120755",
"325558851714036949077314822349842643980",
"215674198342449773256944024129403911698",
"223849647854687121011632428326939830353",
"158003834813641547854724244006826693308",
"125857724365334425903557455147590023757",
"23330513425160089554802132527849860789",
"321669935580047211561844955215812463061",
"173820070268333798014147419272139383574",
"209705243786882530389409538210509701162",
"289647216245536047923013071748438684700",
"131018971160695463205077693628301359036",
"79603321984949461662175277281480800708",
"14928004646916039696683342952577561131",
"91490669116308367519019384771728716175",
"304617066240175756138314041900612197503",
"175284793538028302885977881052872198955",
"300821572329288498004352089985258608983",
"45553687073939493960675207381897654934",
"77234684979975216513527849219161141498",
"285635464492178120003666805256269016819",
"316453086865754736043277932233918867214",
"238394555808089946984654930054052463258",
"337428223678900484220351534564433556489",
"223986320635065819843773820883181530370",
"790718449924781390339016445549489264",
"304765432703462073237024063686904066092",
"260001005445725834487840702453225137814",
"84220760108214856143271760497875331891",
"287771975008610910493478379168685083027",
"108613133191477746075080385215040361281",
"49412478117780537479656497993687414218"
],
"threshold": 0.9
},
"target": {
"file": "core/src/main/java/io/micronaut/core/io/file/DefaultFileSystemResourceLoader.java"
},
"source": "https://github.com/micronaut-projects/micronaut-core/commit/a0cfeb13bf1ef5d692d16d4a3b91b34b7456bb11",
"id": "CVE-2021-32769-267ba923",
"signature_version": "v1",
"signature_type": "Line",
"deprecated": false
},
{
"digest": {
"length": 207.0,
"function_hash": "336204040365284187621909312246701858828"
},
"target": {
"file": "core/src/main/java/io/micronaut/core/io/file/DefaultFileSystemResourceLoader.java",
"function": "getResourceAsStream"
},
"source": "https://github.com/micronaut-projects/micronaut-core/commit/a0cfeb13bf1ef5d692d16d4a3b91b34b7456bb11",
"id": "CVE-2021-32769-380169bf",
"signature_version": "v1",
"signature_type": "Function",
"deprecated": false
},
{
"digest": {
"length": 151.0,
"function_hash": "99198163067505860427955632745499327264"
},
"target": {
"file": "core/src/main/java/io/micronaut/core/io/file/DefaultFileSystemResourceLoader.java",
"function": "getFilePath"
},
"source": "https://github.com/micronaut-projects/micronaut-core/commit/a0cfeb13bf1ef5d692d16d4a3b91b34b7456bb11",
"id": "CVE-2021-32769-495f9b53",
"signature_version": "v1",
"signature_type": "Function",
"deprecated": false
},
{
"digest": {
"length": 1592.0,
"function_hash": "34946058026394342940018656059985997415"
},
"target": {
"file": "core/src/main/java/io/micronaut/core/io/scan/DefaultClassPathResourceLoader.java",
"function": "getResourceAsStream"
},
"source": "https://github.com/micronaut-projects/micronaut-core/commit/a0cfeb13bf1ef5d692d16d4a3b91b34b7456bb11",
"id": "CVE-2021-32769-52298708",
"signature_version": "v1",
"signature_type": "Function",
"deprecated": false
},
{
"digest": {
"line_hashes": [
"129572605899503434615165608173877611599",
"284295933353992665738597048546180115626",
"121057559549959300573200726576015283580",
"179989288167647093049502591469266497283",
"130679740522960163984100647697899676021",
"238353092972378002669953260633750028429",
"235482214661903995970415345401142300641",
"231546314601334496470379136685861624820",
"300329008136315580248323015283117501561",
"233973799042549822027141058487826703646",
"122771288802370837052439457140231547559",
"201656816826545793473052661050698428924",
"309347431482961560659314257021735415291",
"127142205491121149439741947743827627600",
"140793249164530759646387163964738944929",
"99376425732095913713458464095485322857",
"53295995161249670698302829691399102694",
"9242112812025115346153006426973178672",
"42570223622403677670863049402977923148",
"307902821540271556667636436916993051386",
"123418465824228553227541122405709287251",
"124430740245685121221610551206171713873",
"87184433178985220206925146531829890414",
"100885029249800813492817808109852241058",
"72566906126434585950004492993179014652",
"68548589289058887652309374681957230825",
"206993138223350939210759394494357942060",
"60525100301995570805650181965791660580",
"125926724110155998132130478589002512018",
"313708665263288737822266344593341958947",
"96792028933765552542527024212388851775",
"128989287516196814389572863690727901910",
"320022597452426322813648627326778470023",
"260650857403138293141959282210162469511",
"216800585526841312791230157965539936661",
"52161050066987586569344313036158380702",
"190471430669095247917313625030151976242",
"234727818583451417540422099778520804300",
"102302998191638604297647261578712968338",
"74172657883822152047292122708937668235",
"327009704929443226961260218437672792841",
"236792195512634478374527641527863481224",
"14452019476284513981298685294649561456",
"283490122095215933825113756023093907394",
"108587633537507210242609878158511307392",
"108587633537507210242609878158511307392",
"305320042696977491414410563078200906742",
"144860917288437078575971378334329747682",
"274170293965983179489129668775489549562",
"217885769356538564908564361576774211636",
"39909388019885625891141943538109299066",
"28060236511641962632471475223902919230",
"58904372904650507846659964652775758832",
"298476008079594746949664011796000353916",
"226682475124866832424612982457328173019",
"310445207523327377198591279216113619970",
"73957575460251204277101985560934649006",
"299105524719108069085886972628811241248",
"263389539127931955890705790388738864092",
"113108416593332130823446660522826493460",
"246736008984464389488229920272508725019",
"307687724847745166611948520422674040526",
"164324248686279838635751155635050603888",
"267139563606500120511135100801116021721",
"80557044268471588121561112286276241780",
"72088912426311941325668740929071289249",
"239935787701662855528991407250619120407",
"182914622906437583060330798281143811375",
"22800991312625449501651909558953058804",
"151129998003608392060818850145063383826",
"211508576006152700626532732321972548328",
"305822676679322100288295810989890760545",
"99461365135223390152236445429481522115",
"284718404854116636840578628870788433161"
],
"threshold": 0.9
},
"target": {
"file": "core/src/main/java/io/micronaut/core/io/scan/DefaultClassPathResourceLoader.java"
},
"source": "https://github.com/micronaut-projects/micronaut-core/commit/a0cfeb13bf1ef5d692d16d4a3b91b34b7456bb11",
"id": "CVE-2021-32769-5f300990",
"signature_version": "v1",
"signature_type": "Line",
"deprecated": false
},
{
"digest": {
"length": 101.0,
"function_hash": "236000775547078072619172011755578901253"
},
"target": {
"file": "core/src/main/java/io/micronaut/core/io/scan/DefaultClassPathResourceLoader.java",
"function": "DefaultClassPathResourceLoader"
},
"source": "https://github.com/micronaut-projects/micronaut-core/commit/a0cfeb13bf1ef5d692d16d4a3b91b34b7456bb11",
"id": "CVE-2021-32769-6099d02b",
"signature_version": "v1",
"signature_type": "Function",
"deprecated": false
},
{
"digest": {
"length": 337.0,
"function_hash": "137148146742896995533155968600113593328"
},
"target": {
"file": "core/src/main/java/io/micronaut/core/io/scan/DefaultClassPathResourceLoader.java",
"function": "getResources"
},
"source": "https://github.com/micronaut-projects/micronaut-core/commit/a0cfeb13bf1ef5d692d16d4a3b91b34b7456bb11",
"id": "CVE-2021-32769-656bf306",
"signature_version": "v1",
"signature_type": "Function",
"deprecated": false
},
{
"digest": {
"line_hashes": [
"222245642915333973107017291513143958405",
"44364579084441752215338343766140344362",
"114618542302031114145513090863208997742",
"107419068461159206141392787986233992151",
"286618569352172388007416399838287197218",
"136933127590223201296876199107845811229",
"177111067649530404087856659895462042906",
"193590866782487750488022838875214077308",
"193529301202895838023519091617197647669",
"25464559431047765172771249134695312005",
"29994758891224117752444245086370855813"
],
"threshold": 0.9
},
"target": {
"file": "inject/src/main/java/io/micronaut/context/env/DefaultEnvironment.java"
},
"source": "https://github.com/micronaut-projects/micronaut-core/commit/a0cfeb13bf1ef5d692d16d4a3b91b34b7456bb11",
"id": "CVE-2021-32769-7b987f9b",
"signature_version": "v1",
"signature_type": "Line",
"deprecated": false
},
{
"digest": {
"length": 90.0,
"function_hash": "337196554890638657504728985827424660050"
},
"target": {
"file": "core/src/main/java/io/micronaut/core/io/file/DefaultFileSystemResourceLoader.java",
"function": "DefaultFileSystemResourceLoader"
},
"source": "https://github.com/micronaut-projects/micronaut-core/commit/a0cfeb13bf1ef5d692d16d4a3b91b34b7456bb11",
"id": "CVE-2021-32769-8a63b651",
"signature_version": "v1",
"signature_type": "Function",
"deprecated": false
},
{
"digest": {
"length": 549.0,
"function_hash": "217258654109651114418625215659520072358"
},
"target": {
"file": "inject/src/main/java/io/micronaut/context/env/DefaultEnvironment.java",
"function": "readPropertiesFromLoader"
},
"source": "https://github.com/micronaut-projects/micronaut-core/commit/a0cfeb13bf1ef5d692d16d4a3b91b34b7456bb11",
"id": "CVE-2021-32769-992849e0",
"signature_version": "v1",
"signature_type": "Function",
"deprecated": false
},
{
"digest": {
"length": 81.0,
"function_hash": "297469597683613991263311397155006291874"
},
"target": {
"file": "core/src/main/java/io/micronaut/core/io/file/DefaultFileSystemResourceLoader.java",
"function": "DefaultFileSystemResourceLoader"
},
"source": "https://github.com/micronaut-projects/micronaut-core/commit/a0cfeb13bf1ef5d692d16d4a3b91b34b7456bb11",
"id": "CVE-2021-32769-9a0c0705",
"signature_version": "v1",
"signature_type": "Function",
"deprecated": false
},
{
"digest": {
"length": 63.0,
"function_hash": "297169274345748473013285455389034125876"
},
"target": {
"file": "core/src/main/java/io/micronaut/core/io/file/DefaultFileSystemResourceLoader.java",
"function": "DefaultFileSystemResourceLoader"
},
"source": "https://github.com/micronaut-projects/micronaut-core/commit/a0cfeb13bf1ef5d692d16d4a3b91b34b7456bb11",
"id": "CVE-2021-32769-9d47f489",
"signature_version": "v1",
"signature_type": "Function",
"deprecated": false
},
{
"digest": {
"length": 115.0,
"function_hash": "257100994522677736987771484002143411075"
},
"target": {
"file": "core/src/main/java/io/micronaut/core/io/file/DefaultFileSystemResourceLoader.java",
"function": "DefaultFileSystemResourceLoader"
},
"source": "https://github.com/micronaut-projects/micronaut-core/commit/a0cfeb13bf1ef5d692d16d4a3b91b34b7456bb11",
"id": "CVE-2021-32769-ac4715f2",
"signature_version": "v1",
"signature_type": "Function",
"deprecated": false
},
{
"digest": {
"length": 1118.0,
"function_hash": "96926950077758337111040507363703527970"
},
"target": {
"file": "inject/src/main/java/io/micronaut/context/env/DefaultEnvironment.java",
"function": "readPropertySourceListFromFiles"
},
"source": "https://github.com/micronaut-projects/micronaut-core/commit/a0cfeb13bf1ef5d692d16d4a3b91b34b7456bb11",
"id": "CVE-2021-32769-bc95f7dd",
"signature_version": "v1",
"signature_type": "Function",
"deprecated": false
},
{
"digest": {
"length": 338.0,
"function_hash": "332688090122307162488882251818428995631"
},
"target": {
"file": "core/src/main/java/io/micronaut/core/io/file/DefaultFileSystemResourceLoader.java",
"function": "getResource"
},
"source": "https://github.com/micronaut-projects/micronaut-core/commit/a0cfeb13bf1ef5d692d16d4a3b91b34b7456bb11",
"id": "CVE-2021-32769-e919c2ab",
"signature_version": "v1",
"signature_type": "Function",
"deprecated": false
}
]