Skip to main content

Commons Io CVE-2021-29425

MEDIUM
Improper Input Validation (CWE-20)
2021-04-13 security@apache.org
Apache Path Traversal Commons Io Debian Linux Access Manager Agile Engineering Data Management Agile Plm Application Performance Management Application Testing Suite Banking Apis Banking Digital Experience Banking Enterprise Default Management Banking Enterprise Default Managment Banking Party Management Banking Platform Blockchain Platform Commerce Guided Search Communications Application Session Controller Communications Billing And Revenue Management Elastic Charging Engine Communications Cloud Native Core Network Repository Function Communications Cloud Native Core Policy Communications Cloud Native Core Unified Data Repository Communications Contacts Server Communications Converged Application Server Service Controller Communications Convergence Communications Design Studio Communications Diameter Intelligence Hub Communications Interactive Session Recorder Communications Offline Mediation Controller Communications Order And Service Management Communications Policy Management Communications Pricing Design Center Communications Service Broker Enterprise Communications Broker Enterprise Session Border Controller Financial Services Analytical Applications Infrastructure Financial Services Model Management And Governance Flexcube Core Banking Fusion Middleware Mapviewer Health Sciences Data Management Workbench Health Sciences Information Manager Healthcare Data Repository Helidon Insurance Policy Administration Insurance Rules Palette Oss Support Tools Primavera Unifier Real User Experience Insight Rest Data Services Retail Assortment Planning Retail Integration Bus Retail Merchandising System Retail Order Broker Retail Pricing Retail Service Backbone Retail Size Profile Optimization Retail Xstore Point Of Service Solaris Cluster Utilities Testing Accelerator Webcenter Portal Weblogic Server Active Iq Unified Manager
4.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Apr 13, 2021 - 07:15 nvd
MEDIUM 4.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 11,108 maven packages depend on commons-io:commons-io (2,941 direct, 8,213 indirect)
  • 2 maven packages depend on net.hasor:cobble-lang (2 direct, 0 indirect)
  • 2 maven packages depend on org.smartboot.servlet:servlet-core (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 2.7 and other introduced versions.

DescriptionNVD

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

AnalysisAI

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Technical ContextAI

This vulnerability is classified under CWE-20. In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value. Affected products include: Apache Commons Io, Debian Debian Linux, Oracle Access Manager, Oracle Agile Engineering Data Management, Oracle Agile Plm. Version information: before 2.7.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

Share

CVE-2021-29425 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy