CrowdSec
8/10CrowdSec Score

Spring-boot-actuator-logview - Path Traversal (CVE-2021-21234)

Published on05-01-2021
First seen on07-04-2025

197Exploiting IPs reported

Spring-boot-actuator-logview is a library that adds a simple logfile viewer as spring boot actuator endpoint. In spring-boot-actuator-logview before version 0.2.13 there is a directory traversal vulnerability. The nature of this library is to expose a log file directory via admin (spring boot actuator) HTTP endpoints. Both the filename to view and a base folder (relative to the logging folder root) can be specified via request parameters. While the filename parameter was checked to prevent directory traversal exploits (so that `filename=../somefile` would not work), the base folder parameter was not sufficiently checked, so that `filename=somefile&base=../` could access a file outside the logging base directory). The vulnerability has been patched in release 0.2.13. Any users of 0.2.12 should be able to update without any issues as there are no other changes in that release.

CrowdSec analysis

CVE-2021-21234 is a directory traversal vulnerability affecting applications using the spring-boot-actuator-logview library, which exposes log file directories via HTTP endpoints. Insufficient validation of request parameters allows attackers to read files outside of the intended logging directory.

CrowdSec has been tracking this vulnerability and its exploits since 2nd of April 2025.

CrowdSec network observations suggest that most exploitation of CVE-2021-21234 involves focused reconnaissance to identify viable targets. Attackers typically tailor their campaigns based on system exposure and configuration. It is unlikely that a given attack is accidental. CrowdSec data also reveals a clear uptick in attacks involving CVE-2021-21234 over the past week. Activity is above the usual baseline, suggesting growing attention from attackers. This may reflect rising awareness, recent exploit releases, or expanded targeting efforts.

Exploitation attempts are typically associated with URLs containing /manage/log/view or /log/view.

Exploitation

Get real-time information about exploitation attempts and actors involved.

Detected IPs

Discover the IPs that targeted this vulnerability across the CrowdSec Network.

Protection

Find out relevant information to protect your stack against this CVE.

Blocklist

With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.

To increase your protection against this CVE, block exploitation attempts with this list of identified actors.