Back to search
CVE-2021-29425
Published: Apr 13, 2021
Modified: Aug 3, 2024
PUBLISHED
Description
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
| Vendor | Product | Versions |
|---|---|---|
Apache Software Foundation | Apache Commons IO | affected Apache Commons IO 2.2affected Apache Commons IO 2.3affected Apache Commons IO 2.4affected Apache Commons IO 2.5affected Apache Commons IO 2.6 |
Weaknesses (CWE)
References
https://issues.apache.org/jira/browse/IO-556
x_refsource_MISC
[commons-dev] 20210414 Re: [all] OSS Fuzz
mailing-list
x_refsource_MLIST
[commons-dev] 20210415 Re: [all] OSS Fuzz
mailing-list
x_refsource_MLIST
[creadur-dev] 20210427 [jira] [Closed] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity
mailing-list
x_refsource_MLIST
[creadur-dev] 20210427 [jira] [Created] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity
mailing-list
x_refsource_MLIST
[creadur-dev] 20210427 [jira] [Commented] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity
mailing-list
x_refsource_MLIST
[creadur-dev] 20210427 [jira] [Updated] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity
mailing-list
x_refsource_MLIST
[myfaces-dev] 20210504 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #808: build: CVE fix
mailing-list
x_refsource_MLIST
[creadur-dev] 20210518 [jira] [Created] (WHISKER-19) Update commons-io to fix CVE-2021-29425
mailing-list
x_refsource_MLIST
[creadur-dev] 20210518 [jira] [Commented] (WHISKER-19) Update commons-io to fix CVE-2021-29425
mailing-list
x_refsource_MLIST
[creadur-dev] 20210518 [jira] [Assigned] (WHISKER-19) Update commons-io to fix CVE-2021-29425
mailing-list
x_refsource_MLIST
[creadur-dev] 20210518 [jira] [Updated] (WHISKER-19) Update commons-io to fix CVE-2021-29425
mailing-list
x_refsource_MLIST
[kafka-users] 20210617 vulnerabilities
mailing-list
x_refsource_MLIST
[creadur-dev] 20210621 [jira] [Commented] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity
mailing-list
x_refsource_MLIST
[commons-user] 20210709 commons-fileupload dependency and CVE
mailing-list
x_refsource_MLIST
[commons-user] 20210709 Re: commons-fileupload dependency and CVE
mailing-list
x_refsource_MLIST
[portals-pluto-dev] 20210714 [jira] [Closed] (PLUTO-789) Upgrade to commons-io-2.7 due to CVE-2021-29425
mailing-list
x_refsource_MLIST
[portals-pluto-dev] 20210714 [jira] [Created] (PLUTO-789) Upgrade to commons-io-2.7 due to CVE-2021-29425
mailing-list
x_refsource_MLIST
[debian-lts-announce] 20210812 [SECURITY] [DLA 2741-1] commons-io security update
mailing-list
x_refsource_MLIST
https://www.oracle.com/security-alerts/cpuoct2021.html
x_refsource_MISC
https://www.oracle.com/security-alerts/cpujan2022.html
x_refsource_MISC
https://www.oracle.com/security-alerts/cpuapr2022.html
x_refsource_MISC
https://security.netapp.com/advisory/ntap-20220210-0004/
x_refsource_CONFIRM
https://www.oracle.com/security-alerts/cpujul2022.html
x_refsource_MISC
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now