CVE-2021-29425 – org.apache.commons:commons-io

Package

Manager: maven
Name: org.apache.commons:commons-io
Vulnerable Version: =1.3.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00321 pctl0.5457

Details

Path Traversal and Improper Input Validation in Apache Commons IO In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

Metadata

Created: 2021-04-26T16:04:00Z
Modified: 2024-02-14T20:25:59Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json
CWE IDs: ["CWE-20", "CWE-22"]
Alternative ID: GHSA-gwrp-pvrq-jmwv
Finding: F063
Auto approve: 1