Article directory
0. Preface
Background: Spring Boot has a path traversal vulnerability. CVE-2021-22118:
The official issue also has a record of this. If you are interested, you can look at
https://github.com/spring-projects/spring-boot/issues/26627
https://github.com/spring-projects/spring-boot/issues/27543
CVE-2021-22118 is a vulnerability found in Spring Boot. The vulnerability is related to the Remote Update function in Spring Boot's developer tools (Devtools). In some cases, an attacker may use this feature to perform directory traversal attacks to gain access to sensitive files on the system.
It should be noted that this vulnerability only affects file system-based applications using Spring Boot Devtools, and the application must also meet one of the following two conditions:
- The remote update function is enabled (spring.devtools.restart.enabled = true).
- The application uses the default HTTP update URL (spring.devtools.restart.remote-secret).
If your application meets the above conditions, it is recommended to fix it as soon as possible. There are several ways to fix this vulnerability:
- Upgrade Spring Boot to 2.3.10.RELEASE or later.
- Upgrade Spring Boot to 2.4.5 or later.
- Upgrade Spring Boot to 2.5.0 or higher.
For more information about this vulnerability, please refer to Spring's official security notice.
Please note that for applications already running in the production environment, modifying the CORS configuration may affect normal functions. Therefore, adequate testing should be done before implementing this fix.
1. Reference documents
CVE Official Website https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22118
2. Basic introduction
CVE-2021-22118 is a serious path traversal vulnerability found in Spring Boot . The vulnerability could allow an attacker to gain access to a computer's sensitive files and data on behalf of the application.
1. Affected versions
This vulnerability affects Spring Boot versions 2.3.0 to 2.3.7 , 2.4.0 to 2.4.3 and 2.5.0 .
2. Exploitation principle:
The vulnerability stems from the failure of Spring Boot to correctly handle the pattern ".../" that may cause path traversal when processing the URL entered by the user. When a Spring Boot application is configured with Spring MVC and uses default resource handling, an attacker can access files on the application classpath through carefully constructed URLs. This makes it possible for an attacker to access and download sensitive files through this vulnerability, or perform illegal operations.
The official fix is to release a new version, ie Spring Boot 2.3.8、2.4.4and 2.5.1. In these versions, the official handling of path traversal has been improved.
Specifically, Spring Bootwhen processing the URL requested by the user, the processing of the pattern ".../" that may cause path traversal is enhanced. When an application detects that a requested URL contains such a pattern, stricter validation is performed to prevent attackers from exploiting this pattern to access files or directories outside of the application's classpath.
In order to fix this issue, affected users should upgrade their Spring Boot version to the new officially released version as soon as possible. In fact, this is a general policy for any software vulnerability: as soon as you discover a vulnerability, you should upgrade to the latest version that fixes the vulnerability as soon as possible.
3. Solutions
3.1. Scheme 1
Spring fixed this vulnerability in its 2.3.8 , 2.4.4 and 2.5.1 versions. For affected users, it is recommended to upgrade to these versions as soon as possible. At the same time, as a temporary measure, you can limit the URLs that users can access, or add stricter checks on the URLs submitted by users on the server side.
3.2. Scheme 2
temporary solution
In Nginx, you can use locationdirectives and rewritedirectives to intercept and block requests containing ".../", the following is a basic example configuration:
server {
listen 80;
server_name your_domain.com;
location / {
if ($request_uri ~* "\.\.\/") {
return 403;
}
proxy_pass http://your_upstream;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
This configuration will listen to port 80 and proxy the request to it http://your_upstream. If the requested URI contains ".../", Nginx will return a 403 status code, which is "forbidden".
This is only one way to prevent path traversal attacks, and it is not completely safe. Therefore, upgrading to
a version of Spring Boot that does not have this vulnerability is still the safest solution. Also, you should regularly update your Nginx version to apply the latest security fixes.
3. Option 3
In Spring Boot you can prevent path traversal attacks by customizing an interceptor. The interceptor can check the URL of the request before processing the request. If the URL contains illegal characters (such as "…/" or "./"), the request can be rejected. == This may be intercepted by mistake, please pay attention to fully test and consider various channels when using ==
A simple example for reference
import org.springframework.stereotype.Component;
import org.springframework.web.servlet.HandlerInterceptor;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
@Component
public class PathTraversalInterceptor implements HandlerInterceptor {
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
String uri = request.getRequestURI();
if (uri.contains("../") || uri.contains("./")) {
response.sendError(HttpServletResponse.SC_BAD_REQUEST);
return false;
}
return true;
}
}
This interceptor needs to be registered in Spring's interceptor chain in a configuration class:
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
@Configuration
public class WebConfig implements WebMvcConfigurer {
private final PathTraversalInterceptor pathTraversalInterceptor;
public WebConfig(PathTraversalInterceptor pathTraversalInterceptor) {
this.pathTraversalInterceptor = pathTraversalInterceptor;
}
@Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(pathTraversalInterceptor);
}
}
PathTraversalInterceptorIn this way, Spring will execute preHandlethe method to check the requested URL before processing each request .
This method can only be used as a temporary solution, it is not a substitute for upgrading Spring
Boot to a version that does not have this vulnerability. Because an attacker may use encoding to bypass your inspection, and upgrading Spring Boot can completely fix this vulnerability.