Vulnerability Description
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Commons Io | 2.2 |
| Debian | Debian Linux | 9.0 |
| Oracle | Access Manager | 11.1.2.3.0 |
| Oracle | Agile Engineering Data Management | 6.2.1.0 |
| Oracle | Agile Plm | 9.3.6 |
| Oracle | Application Performance Management | 13.4.1.0 |
| Oracle | Application Testing Suite | 13.3.0.1 |
| Oracle | Banking Apis | 18.1 |
| Oracle | Banking Digital Experience | 17.2 |
| Oracle | Banking Enterprise Default Management | 2.6.2 |
| Oracle | Banking Enterprise Default Managment | >= 2.3.0, <= 2.4.0 |
| Oracle | Banking Party Management | 2.7.0 |
| Oracle | Banking Platform | >= 2.3.0, <= 2.4.1 |
| Oracle | Blockchain Platform | < 21.1.2 |
| Oracle | Commerce Guided Search | 11.3.2 |
| Oracle | Communications Application Session Controller | 3.9.0 |
| Oracle | Communications Billing And Revenue Management Elastic Charging Engine | 11.3 |
| Oracle | Communications Cloud Native Core Network Repository Function | 1.14.0 |
| Oracle | Communications Cloud Native Core Policy | 1.14.0 |
| Oracle | Communications Cloud Native Core Unified Data Repository | 1.4.0 |
Related Weaknesses (CWE)
References
- https://issues.apache.org/jira/browse/IO-556ExploitIssue TrackingVendor Advisory
- https://lists.apache.org/thread.html/r01b4a1fcdf3311c936ce33d75a9398b6c255f00c1a
- https://lists.apache.org/thread.html/r0bfa8f7921abdfae788b1f076a12f73a92c93cc0a6
- https://lists.apache.org/thread.html/r0d73e2071d1f1afe1a15da14c5b6feb2cf17e38711
- https://lists.apache.org/thread.html/r1c2f4683c35696cf6f863e3c107e37ec41305b1930
- https://lists.apache.org/thread.html/r20416f39ca7f7344e7d76fe4d7063bb1d91ad10692
- https://lists.apache.org/thread.html/r2345b49dbffa8a5c3c589c082fe39228a2c1d14f11
- https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdb
- https://lists.apache.org/thread.html/r27b1eedda37468256c4bb768fde1e8b79b37ec975c
- https://lists.apache.org/thread.html/r2bc986a070457daca457a54fe71ee09d2584c24dc2
- https://lists.apache.org/thread.html/r2df50af2641d38f432ef025cd2ba5858215cc0cf3f
- https://lists.apache.org/thread.html/r345330b7858304938b7b8029d02537a116d75265a5
- https://lists.apache.org/thread.html/r4050f9f6b42ebfa47a98cbdee4aabed4bb5fb8093d
- https://lists.apache.org/thread.html/r462db908acc1e37c455e11b1a25992b81efd18e641
- https://lists.apache.org/thread.html/r477c285126ada5c3b47946bb702cb222ac4e7fd310
FAQ
What is CVE-2021-29425?
CVE-2021-29425 is a vulnerability with a CVSS score of 4.8 (MEDIUM). In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly provi...
How severe is CVE-2021-29425?
CVE-2021-29425 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-29425?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Commons Io, Debian Debian Linux, Oracle Access Manager, Oracle Agile Engineering Data Management, Oracle Agile Plm.