CVE-2021-32769: 
Java vulnerability analysis and mitigation

Micronaut, a JVM-based full stack Java framework designed for building JVM applications, contained a path traversal vulnerability in versions prior to 2.5.9. The vulnerability was discovered and disclosed on July 16, 2021. With a basic configuration, it was possible to access any file from the filesystem using '/../../' in the URL, as Micronaut did not restrict file access to configured paths (GitHub Advisory, NVD).

The vulnerability exists in the file system resource loading functionality. When configured with static resources enabled (e.g., router.static-resources.assets.enabled=true), the application failed to properly validate file paths, allowing directory traversal attacks. An attacker could use path traversal sequences like '../' to access files outside the intended directory structure. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating it can be exploited remotely without authentication (GitHub Advisory).

The vulnerability could potentially lead to unauthorized access to sensitive information on the filesystem. An attacker could read any file accessible to the application process by traversing outside the configured static resource paths. This could result in exposure of sensitive configuration files, credentials, or other confidential data (GitHub Advisory).

The vulnerability was patched in Micronaut version 2.5.9. For users unable to upgrade immediately, two workarounds are available: 1) Avoid using '*' in mapping and use only '' which exposes only flat structure of a directory not allowing traversal, or 2) On Linux systems, run Micronaut in chroot. The patch implements proper path validation to prevent access to files outside the configured base directory (GitHub Advisory).