CVE-2021-29425 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	Yes
Type	Directory traversal
Description	In Apache Commons IO before 2.7, when invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-1805	java-commons-io	2.6-2	2.8.0-1	Medium	Fixed

References
https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E https://issues.apache.org/jira/browse/IO-556 https://github.com/apache/commons-io/pull/52 https://github.com/apache/commons-io/commit/2736b6fe0b3fa22ec8e2b4184897ecadb021fc78#diff-9b6d1676935bc411202aa2ea51ea8af18db347af49eb21a5159cbbb891f7f5da

References

https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E
https://issues.apache.org/jira/browse/IO-556
https://github.com/apache/commons-io/pull/52
https://github.com/apache/commons-io/commit/2736b6fe0b3fa22ec8e2b4184897ecadb021fc78#diff-9b6d1676935bc411202aa2ea51ea8af18db347af49eb21a5159cbbb891f7f5da