CVE-2021-29425

Vulnerable Component Details
Type Namespace Name Version Package URL
maven commons-io commons-io 2.6 pkg:maven/commons-io/commons-io@2.6?type=jar
Vulnerability Details
ID CVE-2021-29425
Description In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
Recommendation . || State: fixed | Fix Versions: 2.7. || Upgrade to version 2.7 or above.
Ratings
Severity Score Method Vector Source
None None arch-linux
5.3 CVSSv31 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N ghsa
5.8 CVSSv2 AV:N/AC:M/Au:N/C:P/I:P/A:N nvd
4.8 CVSSv31 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N nvd
4.8 CVSSv31 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N redhat
None None ubuntu
Related Vulnerabilities
Found By Gitlab Gemnasium , Anchore Grype , Sonotype OSS-Index , Aquasec Trivy
References / Advisories
Weakness Enumeration