You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Dwayne E Culbertson (Jira)" <ji...@apache.org> on 2021/06/11 18:11:00 UTC

[jira] [Updated] (MSHARED-992) maven-shared-components uses commons-io 2.5 which is vulnerable

     [ https://issues.apache.org/jira/browse/MSHARED-992?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Dwayne E Culbertson updated MSHARED-992:
----------------------------------------
    Description: 
 

Note: This vulnerability has been assigned CVE-2021-29425.
h4. ADVISORIES

Project:[https://github.com/apache/commons-io/pull/52]
 Project:https://issues.apache.org/jira/browse/IO-556
 Project:https://issues.apache.org/jira/browse/IO-559

 

  was:
h4. EXPLANATION
The {{commons-io}} package is vulnerable to Path Traversal. The {{getPrefixLength}} method in {{FilenameUtils.class}} improperly verifies the hostname value received from user input before processing client requests. An attacker could abuse this behavior by crafting a special payload containing unexpected characters that could allow the access to unintended resources.

Note: This vulnerability has been assigned CVE-2021-29425.
h4. DETECTION
The application is vulnerable by using this component.
h4. RECOMMENDATION
We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control.
h4. ROOT CAUSE
apache-maven-3.8.1-bin.tar.gzapache-maven-3.8.1/lib/commons-io-2.5.jarorg/apache/commons/io/FilenameUtils.class[1.1 , 2.7-SNAPSHOT)
h4. ADVISORIES
Project:[https://github.com/apache/commons-io/pull/52]
Project:https://issues.apache.org/jira/browse/IO-556
Project:https://issues.apache.org/jira/browse/IO-559
h4. CVSS DETAILS
Sonatype CVSS 3:7.8
CVSS Vector:CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

        Summary: maven-shared-components uses commons-io 2.5 which is vulnerable  (was: maven-shared-components uses commons-io 2.5 which is vulnerable to sonatype-2018-0705)

> maven-shared-components uses commons-io 2.5 which is vulnerable
> ---------------------------------------------------------------
>
>                 Key: MSHARED-992
>                 URL: https://issues.apache.org/jira/browse/MSHARED-992
>             Project: Maven Shared Components
>          Issue Type: Bug
>            Reporter: Dwayne E Culbertson
>            Priority: Major
>              Labels: Security
>
>  
> Note: This vulnerability has been assigned CVE-2021-29425.
> h4. ADVISORIES
> Project:[https://github.com/apache/commons-io/pull/52]
>  Project:https://issues.apache.org/jira/browse/IO-556
>  Project:https://issues.apache.org/jira/browse/IO-559
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)