Path Traversal and Improper Input Validation in Apache Commons IO

Description

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

Repository: OpenNMS/alec (https://github.com/OpenNMS/alec)
Dependabot: https://github.com/OpenNMS/alec/security/dependabot/5
CVE: CVE-2021-29425
CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
GHSA: GHSA-gwrp-pvrq-jmwv
Severity: medium
Ecosystem: maven
Package Name: commons-io:commons-io
Vulnerable Version Range: < 2.7
First Patched Version: 2.7

Activity

Details
Assignee
Unassigned
Reporter
onms security jira
Labels
dependabotsecurity
Priority
Trivial

PagerDuty

Created July 19, 2023 at 12:43 PM

Updated July 19, 2023 at 12:43 PM

Path Traversal and Improper Input Validation in Apache Commons IO

Description

Activity

Details
Assignee
Unassigned
Reporter
onms security jira
Labels
dependabotsecurity
Priority
Trivial

Details

Assignee

Reporter

Labels

Priority

PagerDuty

PagerDuty

Flag notifications

Something's gone wrong

Something's gone wrong

Path Traversal and Improper Input Validation in Apache Commons IO

Description

Activity

DetailsAssigneeUnassignedUnassignedReporteronms security jiraonms security jiraLabelsdependabotsecurityPriorityTrivial

Details

Assignee

Reporter

Labels

Priority

PagerDutyPagerDuty Incident

PagerDuty

Flag notifications

Something's gone wrong

Something's gone wrong

Details
Assignee
Unassigned
Reporter
onms security jira
Labels
dependabotsecurity
Priority
Trivial

PagerDuty