CVE-2021-29425
Description
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like //../foo, or ..foo, the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus limited path traversal), if the calling code would use the result to construct a path value.
Risk Information
Base Score
4.8
MODERATE
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score
Exploitation Probability
0.606
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Multiple vulnerabilities are affected in Oracle WebLogic Server 12.1.3.0.0 | Windows |
| Multiple vulnerabilities are affected in Oracle WebLogic Server 12.2.1.3.0 | Windows |
| Multiple vulnerabilities are affected in Oracle WebLogic Server 12.2.1.4.0 | Windows |
| Multiple vulnerabilities are affected in Oracle WebLogic Server 14.1.1.0.0 | Windows |
| Vulnerabilities CVE-2021-29425 are fixed in Apache-commons-io 2.7 | Windows |
| Vulnerabilities CVE-2021-29425 are fixed in Checker-Framework-commons-io 2.7 | Windows |
| Multiple Vulnerabilities are affected in IBM Business Automation Workflow 20.0.0.2 | Windows |
| Multiple Vulnerabilities are affected in Netapp Active Iq Unified Manager 2.3 | Windows |
| Multiple vulnerabilities are affected in Oracle PeopleSoft Enterprise PeopleTools 8.57 | Windows |
| Multiple vulnerabilities are affected in Oracle PeopleSoft Enterprise PeopleTools 8.58 | Windows |
| Multiple vulnerabilities are affected in Oracle Communications Order and Service Management 7.3 | Windows |
| Multiple vulnerabilities are affected in Oracle Communications Order and Service Management 7.4 | Windows |
| Multiple vulnerabilities are affected in Oracle Financial Services Revenue Management and Billing 2.7 | Windows |
| Multiple vulnerabilities are affected in Oracle Financial Services Revenue Management and Billing 2.8 | Windows |
| Multiple vulnerabilities are affected in Oracle Financial Services Revenue Management and Billing 2.9 | Windows |
| Vulnerabilities CVE-2021-29425,CVE-2021-43859,CVE-2022-23437,CVE-2022-34169,CVE-2022-40146 are affected in Oracle Financial Services Revenue Management and Billing 3.0 | Windows |
| Vulnerabilities CVE-2021-29425,CVE-2021-43859,CVE-2022-23437,CVE-2022-34169,CVE-2022-40146 are affected in Oracle Financial Services Revenue Management and Billing 3.1 | Windows |
| Vulnerabilities CVE-2021-29425,CVE-2021-43859,CVE-2022-23437,CVE-2022-34169,CVE-2022-40146 are affected in Oracle Financial Services Revenue Management and Billing 3.2 | Windows |
| Vulnerabilities CVE-2021-29425,CVE-2021-43859,CVE-2022-23437,CVE-2022-34169,CVE-2022-40146 are affected in Oracle Financial Services Revenue Management and Billing 4.0 | Windows |
| Multiple Vulnerabilities are affected in IBM Security Guardium 10.5 | Windows |
| Multiple Vulnerabilities are affected in IBM Security Guardium 10.6 | Windows |
| Multiple Vulnerabilities are affected in IBM Security Guardium 11.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Security Guardium 11.2 | Windows |
| Multiple Vulnerabilities are affected in IBM Security Guardium 11.3 | Windows |
| Multiple Vulnerabilities are affected in IBM Cognos Controller 11.0.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Security Guardium 11.4 | Windows |
| Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 6.0.3.6 | Windows |
| Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 6.1.1.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Business Automation Workflow 21.0.3.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Business Automation Workflow 22.0.2 | Windows |
| Multiple Vulnerabilities are affected in IBM Security Guardium 11.0 | Windows |
| Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.2 | Windows |
| Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 6.1.0.4 | Windows |
| Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.11.0.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.11.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.10.4 | Windows |
| Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.10.5.2 | Windows |
| Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.12.0.1 | Windows |
| Vulnerabilities CVE-2021-29425 are affected in Cosium - vet 3.22 | Windows |
| Vulnerabilities CVE-2021-29425 are affected in Diamondq - common-thirdparty.jcasbin 1.4.0 | Windows |
| Vulnerabilities CVE-2021-29425 are affected in Liferay - com.liferay.sass.compiler.jsass 1.0.1 | Windows |
| Vulnerabilities CVE-2021-29425 are affected in Virjar - ratel-api 1.3.6 | Windows |
| Vulnerabilities CVE-2021-29425 are affected in Hasor - cobble-lang 4.6.2 | Windows |
| Vulnerabilities CVE-2021-29425 are affected in Apache - commons-io 1.3.2 | Windows |
| Vulnerabilities CVE-2021-29425 are affected in Apache - org.apache.servicemix.bundles.commons-io 1.5 | Windows |
| Vulnerabilities CVE-2021-29425 are affected in Smartboot - servlet-core 0.6 | Windows |
| SUSE-SU-2021:1315-1(SUSE Linux Enterprise Server 12-SP5 ) apache-commons-io-2.4-9.3.1.noarch.rpm | Linux |
| Common useful IO related classes (USN-5095-1) libcommons-io-java_2.6-2ubuntu0.18.04.1_all.deb | Linux |
| Common useful IO related classes (USN-5095-1) libcommons-io-java_2.6-2ubuntu0.20.04.1_all.deb | Linux |
| SUSE-SU-2023:0796-1(Basesystem Module 15-SP4 ) kernel-default-5.14.21-150400.24.49.3.x86_64.rpm | Linux |
| SUSE-SU-2023:0796-1(Basesystem Module 15-SP4 ) kernel-default-base-5.14.21-150400.24.49.3.150400.24.19.3.x86_64.rpm | Linux |
| SUSE-SU-2023:0796-1(Basesystem Module 15-SP4 ) kernel-default-debuginfo-5.14.21-150400.24.49.3.x86_64.rpm | Linux |
| SUSE-SU-2023:0796-1(Basesystem Module 15-SP4 ) kernel-default-debugsource-5.14.21-150400.24.49.3.x86_64.rpm | Linux |
| SUSE-SU-2023:0796-1(Basesystem Module 15-SP4 ) kernel-default-devel-5.14.21-150400.24.49.3.x86_64.rpm | Linux |
| SUSE-SU-2023:0796-1(Basesystem Module 15-SP4 ) kernel-default-devel-debuginfo-5.14.21-150400.24.49.3.x86_64.rpm | Linux |
| SUSE-SU-2023:0796-1(Development Tools Module 15-SP4 ) kernel-obs-build-5.14.21-150400.24.49.3.x86_64.rpm | Linux |
| SUSE-SU-2023:0796-1(Development Tools Module 15-SP4 ) kernel-obs-build-debugsource-5.14.21-150400.24.49.3.x86_64.rpm | Linux |
| SUSE-SU-2023:0796-1(Development Tools Module 15-SP4 ) kernel-syms-5.14.21-150400.24.49.4.x86_64.rpm | Linux |
| SUSE-SU-2023:0796-1(Legacy Module 15-SP4 ) reiserfs-kmp-default-5.14.21-150400.24.49.3.x86_64.rpm | Linux |
| SUSE-SU-2023:0796-1(Legacy Module 15-SP4 ) reiserfs-kmp-default-debuginfo-5.14.21-150400.24.49.3.x86_64.rpm | Linux |
| SUSE-SU-2023:0796-1(Basesystem Module 15-SP4 ) kernel-devel-5.14.21-150400.24.49.4.noarch.rpm | Linux |
| SUSE-SU-2023:0796-1(Development Tools Module 15-SP4 ) kernel-docs-5.14.21-150400.24.49.4.noarch.rpm | Linux |
| SUSE-SU-2023:0796-1(Basesystem Module 15-SP4 ) kernel-macros-5.14.21-150400.24.49.4.noarch.rpm | Linux |
| SUSE-SU-2023:0796-1(Development Tools Module 15-SP4 ) kernel-source-5.14.21-150400.24.49.4.noarch.rpm | Linux |
| apache-commons-io Security Update (ALAS-2023-2059) apache-commons-io-2.4-12.amzn2.0.1.noarch.rpm | Linux |
| apache-commons-io Security Update (ALAS-2023-2059) apache-commons-io-javadoc-2.4-12.amzn2.0.1.noarch.rpm | Linux |
| Vulnerabilities CVE-2021-29425 are fixed in Apache-commons-io for Linux 2.7 | Linux |
| Vulnerabilities CVE-2021-29425 are fixed in Checker-Framework-commons-io for Linux 2.7 | Linux |
| apache-commons-io Security Update (ALAS2-2023-2059) apache-commons-io-2.4-12.amzn2.0.1.noarch.rpm | Linux |
| apache-commons-io Security Update (ALAS2-2023-2059) apache-commons-io-javadoc-2.4-12.amzn2.0.1.noarch.rpm | Linux |
| Vulnerabilities CVE-2021-29425 are affected in Cosium - vet for Linux 3.22 | Linux |
| Vulnerabilities CVE-2021-29425 are affected in Diamondq - common-thirdparty.jcasbin for Linux 1.4.0 | Linux |
| Vulnerabilities CVE-2021-29425 are affected in Liferay - com.liferay.sass.compiler.jsass for Linux 1.0.1 | Linux |
| Vulnerabilities CVE-2021-29425 are affected in Virjar - ratel-api for Linux 1.3.6 | Linux |
| Vulnerabilities CVE-2021-29425 are affected in Hasor - cobble-lang for Linux 4.6.2 | Linux |
| Vulnerabilities CVE-2021-29425 are affected in Apache - commons-io for Linux 1.3.2 | Linux |
| Vulnerabilities CVE-2021-29425 are affected in Apache - org.apache.servicemix.bundles.commons-io for Linux 1.5 | Linux |
| Vulnerabilities CVE-2021-29425 are affected in Smartboot - servlet-core for Linux 0.6 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234