Spring-boot-actuator-logview - Path Traversal (CVE-2021-21234)
387Exploiting IPs reported
Spring-boot-actuator-logview is a library that adds a simple logfile viewer as spring boot actuator endpoint. In spring-boot-actuator-logview before version 0.2.13 there is a directory traversal vulnerability. The nature of this library is to expose a log file directory via admin (spring boot actuator) HTTP endpoints. Both the filename to view and a base folder (relative to the logging folder root) can be specified via request parameters. While the filename parameter was checked to prevent directory traversal exploits (so that `filename=../somefile` would not work), the base folder parameter was not sufficiently checked, so that `filename=somefile&base=../` could access a file outside the logging base directory). The vulnerability has been patched in release 0.2.13. Any users of 0.2.12 should be able to update without any issues as there are no other changes in that release.
CrowdSec analysis
CVE-2021-21234 is a directory traversal vulnerability affecting applications using the spring-boot-actuator-logview library, which exposes log file directories via HTTP endpoints. Insufficient validation of request parameters allows attackers to read files outside of the intended logging directory.
CrowdSec has been tracking this vulnerability and its exploits since 2nd of April 2025.
CrowdSec network observations suggest that most exploitation of CVE-2021-21234 involves focused reconnaissance to identify viable targets. Attackers typically tailor their campaigns based on system exposure and configuration. It is unlikely that a given attack is accidental. Telemetry from the CrowdSec network also shows that exploitation activity for CVE-2021-21234 remains steady week-over-week. Attack volumes are consistent with long-term trends, indicating sustained interest from threat actors. CVE-2021-21234 continues to be an active part of the threat landscape and will likely remain this way for the forseeable future.
Exploitation attempts are typically associated with URLs containing /manage/log/view or /log/view.
Exploitation
Get real-time information about exploitation attempts and actors involved.
Common Weakness Enumeration (CWE)
Protection
Find out relevant information to protect your stack against this CVE.
Blocklist
With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.
To increase your protection against this CVE, block exploitation attempts with this list of identified actors.