CVE-2021-29425

Beschreibung:
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like „//../foo“, or „..foo“, the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus „limited“ path traversal), if the calling code would use the result to construct a path value.

CWE: CWE-22

CVSS-Bewertung
CVSS 2: MEDIUM – 5 (Version: 2.0)
CVSS 3: MEDIUM – 5.3 (Version: 3.1)

Links:

NVD – CVE-2021-29425
CVE – CVE-2021-29425

Link (max. 20) Quelle Tags
https://issues.apache.org/jira/browse/IO-556 MISC Exploit Issue Tracking Vendor Advisory
https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E MISC Mailing List Vendor Advisory
[commons-dev] 20210414 Re: [all] OSS Fuzz MLIST Mailing List Vendor Advisory
[commons-dev] 20210415 Re: [all] OSS Fuzz MLIST Mailing List Vendor Advisory
[pulsar-commits] 20210420 [GitHub] [pulsar] lhotari opened a new pull request #10287: [Security] Upgrade commons-io to address CVE-2021-29425 MLIST Mailing List Vendor Advisory
[pulsar-commits] 20210420 [GitHub] [pulsar] merlimat merged pull request #10287: [Security] Upgrade commons-io to address CVE-2021-29425 MLIST Mailing List Vendor Advisory
[creadur-dev] 20210427 [jira] [Created] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity MLIST Mailing List Vendor Advisory
[creadur-dev] 20210427 [jira] [Commented] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity MLIST Mailing List Vendor Advisory
[creadur-dev] 20210427 [jira] [Closed] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity MLIST Mailing List Vendor Advisory
[creadur-dev] 20210427 [jira] [Updated] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity MLIST Mailing List Vendor Advisory
[pulsar-commits] 20210429 [pulsar] branch branch-2.7 updated: [Security] Upgrade commons-io to address CVE-2021-29425 (#10287) MLIST Mailing List Third Party Advisory
[myfaces-dev] 20210504 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #808: build: CVE fix MLIST Mailing List Third Party Advisory Vendor Advisory

Quelle: NVD – CVE-2021-29425
Datum Veröffentlichung: 2021-04-13T07:15Z, Datum letzte Änderung: 2021-05-04T13:34Z