Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWd3cnAtcHZycS1qbXd2

Path Traversal and Improper Input Validation in Apache Commons IO

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

Permalink: https://github.com/advisories/GHSA-gwrp-pvrq-jmwv
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWd3cnAtcHZycS1qbXd2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 3 years ago
Updated: 3 months ago

CVSS Score: 4.8
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Identifiers: GHSA-gwrp-pvrq-jmwv, CVE-2021-29425
References:

Repository: https://github.com/jensdietrich/xshady-release
Blast Radius: 25.9

Affected Packages

maven:org.smartboot.servlet:servlet-core

Dependent packages: 7
Dependent repositories: 49
Downloads:
Affected Version Ranges: >= 0.1.9, <= 0.6
No known fixed version
All affected versions: 0.1.9, 0.2.1, 0.3.1

maven:org.checkerframework.annotatedlib:commons-io

Dependent packages: 0
Dependent repositories: 5
Downloads:
Affected Version Ranges: >= 2.6, < 2.7
Fixed in: 2.7
All affected versions:
All unaffected versions: 2.8.0

maven:org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-io

Dependent packages: 17
Dependent repositories: 23
Downloads:
Affected Version Ranges: >= 1.4, <= 1.5
No known fixed version
All affected versions:

maven:org.apache.commons:commons-io

Dependent packages: 1,131
Dependent repositories: 24,775
Downloads:
Affected Version Ranges: = 1.3.2
No known fixed version
All affected versions: 1.3.2

maven:net.hasor:cobble-lang

Dependent packages: 5
Dependent repositories: 0
Downloads:
Affected Version Ranges: >= 4.4.1, <= 4.6.2
No known fixed version
All affected versions: 4.4.1, 4.4.2, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4, 4.6.0, 4.6.1, 4.6.2

maven:com.virjar:ratel-api

Dependent packages: 1
Dependent repositories: 8
Downloads:
Affected Version Ranges: >= 1.0.0, <= 1.3.6
No known fixed version
All affected versions: 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6

maven:com.liferay:com.liferay.sass.compiler.jsass

Dependent packages: 0
Dependent repositories: 0
Downloads:
Affected Version Ranges: = 1.0.1
No known fixed version
All affected versions: 1.0.1

maven:com.diamondq.common:common-thirdparty.jcasbin

Dependent packages: 0
Dependent repositories: 1
Downloads:
Affected Version Ranges: = 1.4.0
No known fixed version
All affected versions: 1.4.0

maven:com.cosium.vet:vet

Dependent packages: 0
Dependent repositories: 0
Downloads:
Affected Version Ranges: >= 1.0, <= 3.22
No known fixed version
All affected versions:

maven:commons-io:commons-io

Dependent packages: 21,919
Dependent repositories: 245,203
Downloads:
Affected Version Ranges: < 2.7
Fixed in: 2.7
All affected versions: 1.3.1, 1.3.2, 2.0.1
All unaffected versions: 2.8.0, 2.9.0, 2.10.0, 2.11.0, 2.12.0, 2.13.0, 2.14.0, 2.15.0, 2.15.1, 2.16.0, 2.16.1