RSS   Vulnerabilities for 'Armeria'   RSS

2021-12-02
 
CVE-2021-43795

CWE-22
 

 
Armeria is an open source microservice framework. In affected versions an attacker can access an Armeria server's local file system beyond its restricted directory by sending an HTTP request whose path contains `%2F` (encoded `/`), such as `/files/..%2Fsecrets.txt`, bypassing Armeria's path validation logic. Armeria 1.13.4 or above contains the hardened path validation logic that handles `%2F` properly. This vulnerability can be worked around by inserting a decorator that performs an additional validation on the request path.

 
2019-12-06
 
CVE-2019-16771

CWE-74
 

 
Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting, which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized data is used to populate the headers of an HTTP response. This vulnerability has been patched in 0.97.0. Potential impacts of this vulnerability include cross-user defacement, cache poisoning, Cross-site scripting (XSS), and page hijacking.

 

 >>> Vendor: Linecorp 6 Products
LINE
Line installer
Line music
Apng-drawable
Armeria
Central dogma


Copyright 2022, cxsecurity.com

 

Back to Top