Possible limited path traversal vulnerabily in Apache Commons IO up to version 2.6 (CVE-2021-29425)

Issue date: 06-07-2021
Affects versions: 14.5, 13.4, 12.6

Security Issue ID

SECURITY-222

Affected Product Version(s)

14.5.1, 12.6.15, 13.4.8 and previous releases.

Severity

medium

Description

CVE-2021-29425

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

The CommonsIO dependency has been updated in 14.5.2, 13.4.9 and 12.6.16.

Instructions

Customers using the 12.x, 13.x and 14.x major versions are recommended to upgrade to the latest version in that series.

Content Application

Channels

Projects

Relevance

Architecture

Concepts

Platform Configuration

Frontend Integration

Backend Development

Commerce Accelerator

Cloud Deployment (PaaS)

On-Premise Deployment

Security

Release Management

Platform Development

Bloomreach Documentation version

Possible limited path traversal vulnerabily in Apache Commons IO up to version 2.6 (CVE-2021-29425)