#VU52252 Path traversal in Apache Commons IO


Published: 2021-04-15

Vulnerability identifier: #VU52252

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-29425

CWE-ID: CWE-22

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache Commons IO
Universal components / Libraries / Software for developers

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error within the FileNameUtils.normalize method when processing directory traversal sequences, such as "//../foo", or "\..foo". A remote attacker can send a specially crafted request and verify files availability in the parent folder.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Apache Commons IO: 2.0 - 2.6


CPE

External links
http://issues.apache.org/jira/browse/IO-556
http://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E
http://lists.apache.org/thread.html/rfd01af05babc95b8949e6d8ea78d9834699e1b06981040dde419a330@%3Cdev.commons.apache.org%3E


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability