CVE-2021-29425

CWE-20Improper Input ValidationCWE-22Path Traversal18 documents8 sources
Severity
4.8MEDIUM
EPSS
0.5%
top 34.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
60
Oracle Blockchain PlatformOracle OSS Support ToolsOracle Rest Data Services+57 more
Timeline
PublishedApr 13
Latest updateJul 15

Description

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 2.2 | Impact: 2.5

Affected Packages67 packages

NVDapache/commons_io5 versions+4

Also affects: Debian Linux 9.0

Patches

Patch: www.oracle.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

4
OSV
Path Traversal and Improper Input Validation in Apache Commons IO2021-04-26
GHSA
Path Traversal and Improper Input Validation in Apache Commons IO2021-04-26
OSV
CVE-2021-29425: In Apache Commons IO before 22021-04-13
CVEList
Possible limited path traversal vulnerabily in Apache Commons IO2021-04-13

📋Vendor Advisories

13
Oracle
Oracle Oracle Communications Risk Matrix: Security (Apache Commons IO) — CVE-2021-294252024-07-15
Oracle
Oracle Oracle Hyperion Risk Matrix: Security (Apache Commons IO) — CVE-2021-294252024-01-15
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: General (Apache Commons IO) — CVE-2021-294252023-07-15
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Infrastructure (Apache Commons IO) — CVE-2021-294252023-04-15
Oracle
Oracle Oracle Utilities Applications Risk Matrix: System Wide (Apache Commons IO) — CVE-2021-294252023-01-15