{"id":"CVE-2021-32769","details":"Micronaut is a JVM-based, full stack Java framework designed for building JVM applications. A path traversal vulnerability exists in versions prior to 2.5.9. With a basic configuration, it is possible to access any file from a filesystem, using \"/../../\" in the URL. This occurs because Micronaut does not restrict file access to configured paths. The vulnerability is patched in version 2.5.9. As a workaround, do not use `**` in mapping, use only `*`, which exposes only flat structure of a directory not allowing traversal. If using Linux, another workaround is to run micronaut in chroot.","aliases":["GHSA-cjx7-399x-p2rj"],"modified":"2026-04-12T03:27:02.798529Z","published":"2021-07-16T19:15:07.893Z","related":["GHSA-cjx7-399x-p2rj"],"references":[{"type":"FIX","url":"https://github.com/micronaut-projects/micronaut-core/commit/a0cfeb13bf1ef5d692d16d4a3b91b34b7456bb11"},{"type":"FIX","url":"https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-cjx7-399x-p2rj"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/micronaut-projects/micronaut-core","events":[{"introduced":"0"},{"fixed":"808a868902e58d343c5b38922088920a4236e580"},{"fixed":"a0cfeb13bf1ef5d692d16d4a3b91b34b7456bb11"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"2.5.9"}],"cpe":"cpe:2.3:a:objectcomputing:micronaut:*:*:*:*:*:*:*:*","source":["CPE_FIELD","REFERENCES"]}}],"versions":["v1.0.0","v1.0.0.M1","v1.0.0.M2","v1.0.0.M3","v1.0.0.M4","v1.0.0.RC2","v1.0.0.RC3","v1.1.0.M1","v1.1.0.M2","v1.1.0.RC1","v1.1.0.RC2","v1.2.0","v1.2.0.RC1","v1.2.0.RC2","v1.3.0","v1.3.0.M1","v1.3.0.M2","v1.3.0.RC1","v1.3.0.TEST","v2.0.0","v2.0.0.RC1","v2.0.0.RC2","v2.0.1","v2.1.0","v2.3.0","v2.3.1","v2.4.0","v2.5.0","v2.5.1","v2.5.2","v2.5.3","v2.5.4","v2.5.5","v2.5.6","v2.5.7","v2.5.8"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-32769.json","vanir_signatures":[{"id":"CVE-2021-32769-1864d54c","source":"https://github.com/micronaut-projects/micronaut-core/commit/a0cfeb13bf1ef5d692d16d4a3b91b34b7456bb11","digest":{"function_hash":"168296928503248447492188345111810913179","length":224},"deprecated":false,"target":{"function":"getResource","file":"core/src/main/java/io/micronaut/core/io/scan/DefaultClassPathResourceLoader.java"},"signature_version":"v1","signature_type":"Function"},{"id":"CVE-2021-32769-267ba923","source":"https://github.com/micronaut-projects/micronaut-core/commit/a0cfeb13bf1ef5d692d16d4a3b91b34b7456bb11","digest":{"threshold":0.9,"line_hashes":["267908196509186046248547599640846942614","168899291585172574884690192543247427591","275828188480902142504912868921286554336","69779632675163598369020110679238493511","332986745720066813555499390414430083181","332849096561619383370064256575384309998","246462523138713261349135191326131581164","189843453632746315791067843014976725682","295948846967546773930409994719099120755","325558851714036949077314822349842643980","215674198342449773256944024129403911698","223849647854687121011632428326939830353","158003834813641547854724244006826693308","125857724365334425903557455147590023757","23330513425160089554802132527849860789","321669935580047211561844955215812463061","173820070268333798014147419272139383574","209705243786882530389409538210509701162","289647216245536047923013071748438684700","131018971160695463205077693628301359036","79603321984949461662175277281480800708","14928004646916039696683342952577561131","91490669116308367519019384771728716175","304617066240175756138314041900612197503","175284793538028302885977881052872198955","300821572329288498004352089985258608983","45553687073939493960675207381897654934","77234684979975216513527849219161141498","285635464492178120003666805256269016819","316453086865754736043277932233918867214","238394555808089946984654930054052463258","337428223678900484220351534564433556489","223986320635065819843773820883181530370","790718449924781390339016445549489264","304765432703462073237024063686904066092","260001005445725834487840702453225137814","84220760108214856143271760497875331891","287771975008610910493478379168685083027","108613133191477746075080385215040361281","49412478117780537479656497993687414218"]},"deprecated":false,"target":{"file":"core/src/main/java/io/micronaut/core/io/file/DefaultFileSystemResourceLoader.java"},"signature_version":"v1","signature_type":"Line"},{"id":"CVE-2021-32769-380169bf","source":"https://github.com/micronaut-projects/micronaut-core/commit/a0cfeb13bf1ef5d692d16d4a3b91b34b7456bb11","digest":{"function_hash":"336204040365284187621909312246701858828","length":207},"deprecated":false,"target":{"function":"getResourceAsStream","file":"core/src/main/java/io/micronaut/core/io/file/DefaultFileSystemResourceLoader.java"},"signature_version":"v1","signature_type":"Function"},{"id":"CVE-2021-32769-495f9b53","source":"https://github.com/micronaut-projects/micronaut-core/commit/a0cfeb13bf1ef5d692d16d4a3b91b34b7456bb11","digest":{"function_hash":"99198163067505860427955632745499327264","length":151},"deprecated":false,"target":{"function":"getFilePath","file":"core/src/main/java/io/micronaut/core/io/file/DefaultFileSystemResourceLoader.java"},"signature_version":"v1","signature_type":"Function"},{"id":"CVE-2021-32769-52298708","source":"https://github.com/micronaut-projects/micronaut-core/commit/a0cfeb13bf1ef5d692d16d4a3b91b34b7456bb11","digest":{"function_hash":"34946058026394342940018656059985997415","length":1592},"deprecated":false,"target":{"function":"getResourceAsStream","file":"core/src/main/java/io/micronaut/core/io/scan/DefaultClassPathResourceLoader.java"},"signature_version":"v1","signature_type":"Function"},{"id":"CVE-2021-32769-5f300990","source":"https://github.com/micronaut-projects/micronaut-core/commit/a0cfeb13bf1ef5d692d16d4a3b91b34b7456bb11","digest":{"threshold":0.9,"line_hashes":["129572605899503434615165608173877611599","284295933353992665738597048546180115626","121057559549959300573200726576015283580","179989288167647093049502591469266497283","130679740522960163984100647697899676021","238353092972378002669953260633750028429","235482214661903995970415345401142300641","231546314601334496470379136685861624820","300329008136315580248323015283117501561","233973799042549822027141058487826703646","122771288802370837052439457140231547559","201656816826545793473052661050698428924","309347431482961560659314257021735415291","127142205491121149439741947743827627600","140793249164530759646387163964738944929","99376425732095913713458464095485322857","53295995161249670698302829691399102694","9242112812025115346153006426973178672","42570223622403677670863049402977923148","307902821540271556667636436916993051386","123418465824228553227541122405709287251","124430740245685121221610551206171713873","87184433178985220206925146531829890414","100885029249800813492817808109852241058","72566906126434585950004492993179014652","68548589289058887652309374681957230825","206993138223350939210759394494357942060","60525100301995570805650181965791660580","125926724110155998132130478589002512018","313708665263288737822266344593341958947","96792028933765552542527024212388851775","128989287516196814389572863690727901910","320022597452426322813648627326778470023","260650857403138293141959282210162469511","216800585526841312791230157965539936661","52161050066987586569344313036158380702","190471430669095247917313625030151976242","234727818583451417540422099778520804300","102302998191638604297647261578712968338","74172657883822152047292122708937668235","327009704929443226961260218437672792841","236792195512634478374527641527863481224","14452019476284513981298685294649561456","283490122095215933825113756023093907394","108587633537507210242609878158511307392","108587633537507210242609878158511307392","305320042696977491414410563078200906742","144860917288437078575971378334329747682","274170293965983179489129668775489549562","217885769356538564908564361576774211636","39909388019885625891141943538109299066","28060236511641962632471475223902919230","58904372904650507846659964652775758832","298476008079594746949664011796000353916","226682475124866832424612982457328173019","310445207523327377198591279216113619970","73957575460251204277101985560934649006","299105524719108069085886972628811241248","263389539127931955890705790388738864092","113108416593332130823446660522826493460","246736008984464389488229920272508725019","307687724847745166611948520422674040526","164324248686279838635751155635050603888","267139563606500120511135100801116021721","80557044268471588121561112286276241780","72088912426311941325668740929071289249","239935787701662855528991407250619120407","182914622906437583060330798281143811375","22800991312625449501651909558953058804","151129998003608392060818850145063383826","211508576006152700626532732321972548328","305822676679322100288295810989890760545","99461365135223390152236445429481522115","284718404854116636840578628870788433161"]},"deprecated":false,"target":{"file":"core/src/main/java/io/micronaut/core/io/scan/DefaultClassPathResourceLoader.java"},"signature_version":"v1","signature_type":"Line"},{"id":"CVE-2021-32769-6099d02b","source":"https://github.com/micronaut-projects/micronaut-core/commit/a0cfeb13bf1ef5d692d16d4a3b91b34b7456bb11","digest":{"function_hash":"236000775547078072619172011755578901253","length":101},"deprecated":false,"target":{"function":"DefaultClassPathResourceLoader","file":"core/src/main/java/io/micronaut/core/io/scan/DefaultClassPathResourceLoader.java"},"signature_version":"v1","signature_type":"Function"},{"id":"CVE-2021-32769-656bf306","source":"https://github.com/micronaut-projects/micronaut-core/commit/a0cfeb13bf1ef5d692d16d4a3b91b34b7456bb11","digest":{"function_hash":"137148146742896995533155968600113593328","length":337},"deprecated":false,"target":{"function":"getResources","file":"core/src/main/java/io/micronaut/core/io/scan/DefaultClassPathResourceLoader.java"},"signature_version":"v1","signature_type":"Function"},{"id":"CVE-2021-32769-7b987f9b","source":"https://github.com/micronaut-projects/micronaut-core/commit/a0cfeb13bf1ef5d692d16d4a3b91b34b7456bb11","digest":{"threshold":0.9,"line_hashes":["222245642915333973107017291513143958405","44364579084441752215338343766140344362","114618542302031114145513090863208997742","107419068461159206141392787986233992151","286618569352172388007416399838287197218","136933127590223201296876199107845811229","177111067649530404087856659895462042906","193590866782487750488022838875214077308","193529301202895838023519091617197647669","25464559431047765172771249134695312005","29994758891224117752444245086370855813"]},"deprecated":false,"target":{"file":"inject/src/main/java/io/micronaut/context/env/DefaultEnvironment.java"},"signature_version":"v1","signature_type":"Line"},{"id":"CVE-2021-32769-8a63b651","source":"https://github.com/micronaut-projects/micronaut-core/commit/a0cfeb13bf1ef5d692d16d4a3b91b34b7456bb11","digest":{"function_hash":"337196554890638657504728985827424660050","length":90},"deprecated":false,"target":{"function":"DefaultFileSystemResourceLoader","file":"core/src/main/java/io/micronaut/core/io/file/DefaultFileSystemResourceLoader.java"},"signature_version":"v1","signature_type":"Function"},{"id":"CVE-2021-32769-992849e0","source":"https://github.com/micronaut-projects/micronaut-core/commit/a0cfeb13bf1ef5d692d16d4a3b91b34b7456bb11","digest":{"function_hash":"217258654109651114418625215659520072358","length":549},"deprecated":false,"target":{"function":"readPropertiesFromLoader","file":"inject/src/main/java/io/micronaut/context/env/DefaultEnvironment.java"},"signature_version":"v1","signature_type":"Function"},{"id":"CVE-2021-32769-9a0c0705","source":"https://github.com/micronaut-projects/micronaut-core/commit/a0cfeb13bf1ef5d692d16d4a3b91b34b7456bb11","digest":{"function_hash":"297469597683613991263311397155006291874","length":81},"deprecated":false,"target":{"function":"DefaultFileSystemResourceLoader","file":"core/src/main/java/io/micronaut/core/io/file/DefaultFileSystemResourceLoader.java"},"signature_version":"v1","signature_type":"Function"},{"id":"CVE-2021-32769-9d47f489","source":"https://github.com/micronaut-projects/micronaut-core/commit/a0cfeb13bf1ef5d692d16d4a3b91b34b7456bb11","digest":{"function_hash":"297169274345748473013285455389034125876","length":63},"deprecated":false,"target":{"function":"DefaultFileSystemResourceLoader","file":"core/src/main/java/io/micronaut/core/io/file/DefaultFileSystemResourceLoader.java"},"signature_version":"v1","signature_type":"Function"},{"id":"CVE-2021-32769-ac4715f2","source":"https://github.com/micronaut-projects/micronaut-core/commit/a0cfeb13bf1ef5d692d16d4a3b91b34b7456bb11","digest":{"function_hash":"257100994522677736987771484002143411075","length":115},"deprecated":false,"target":{"function":"DefaultFileSystemResourceLoader","file":"core/src/main/java/io/micronaut/core/io/file/DefaultFileSystemResourceLoader.java"},"signature_version":"v1","signature_type":"Function"},{"id":"CVE-2021-32769-bc95f7dd","source":"https://github.com/micronaut-projects/micronaut-core/commit/a0cfeb13bf1ef5d692d16d4a3b91b34b7456bb11","digest":{"function_hash":"96926950077758337111040507363703527970","length":1118},"deprecated":false,"target":{"function":"readPropertySourceListFromFiles","file":"inject/src/main/java/io/micronaut/context/env/DefaultEnvironment.java"},"signature_version":"v1","signature_type":"Function"},{"id":"CVE-2021-32769-e919c2ab","source":"https://github.com/micronaut-projects/micronaut-core/commit/a0cfeb13bf1ef5d692d16d4a3b91b34b7456bb11","digest":{"function_hash":"332688090122307162488882251818428995631","length":338},"deprecated":false,"target":{"function":"getResource","file":"core/src/main/java/io/micronaut/core/io/file/DefaultFileSystemResourceLoader.java"},"signature_version":"v1","signature_type":"Function"}],"vanir_signatures_modified":"2026-04-12T03:27:02Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}