CVE-2021-29425medium
New! CVE Severity Now Using CVSS v3
The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.
Description
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
References
https://issues.apache.org/jira/browse/IO-556
https://lists.apache.org/thread.html/[email protected]%3Cdev.commons.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.commons.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommits.pulsar.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommits.pulsar.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.creadur.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.creadur.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.creadur.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.creadur.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommits.pulsar.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.myfaces.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.creadur.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.creadur.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.creadur.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.creadur.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cusers.kafka.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.creadur.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cuser.commons.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cuser.commons.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cpluto-dev.portals.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cpluto-scm.portals.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cpluto-dev.portals.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cnotifications.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cnotifications.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cnotifications.zookeeper.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/08/msg00016.html
https://lists.apache.org/thread.html/[email protected]%3Cnotifications.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cnotifications.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cnotifications.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cnotifications.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cnotifications.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cnotifications.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cnotifications.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cnotifications.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cnotifications.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cissues.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cnotifications.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccommits.zookeeper.apache.org%3E
Details
Source: MITRE
Published: 2021-04-13
Updated: 2021-11-29
Type: CWE-22
Risk Information
CVSS v2
Base Score: 5.8
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N
Impact Score: 4.9
Exploitability Score: 8.6
Severity: MEDIUM
CVSS v3
Base Score: 4.8
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Impact Score: 2.5
Exploitability Score: 2.2
Severity: MEDIUM
Vulnerable Software
Configuration 1
OR
cpe:2.3:a:apache:commons_io:2.2:-:*:*:*:*:*:*
cpe:2.3:a:apache:commons_io:2.3:-:*:*:*:*:*:*
cpe:2.3:a:apache:commons_io:2.4:-:*:*:*:*:*:*
cpe:2.3:a:apache:commons_io:2.5:-:*:*:*:*:*:*
cpe:2.3:a:apache:commons_io:2.6:-:*:*:*:*:*:*
cpe:2.3:a:apache:pluto:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:whisker:*:*:*:*:*:*:*:*
Configuration 2
OR
Configuration 3
OR
cpe:2.3:a:oracle:communications_application_session_controller:3.9.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_calendar_server:8.0.0.6.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_converged_application_server_-_service_controller:6.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_metasolv_solution:6.3.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:documaker:*:*:*:*:*:*:*:* versions from 12.6.0 to 12.6.4 (inclusive)
cpe:2.3:a:oracle:goldengate_application_adapters:19.1.0.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hyperion_financial_management:11.1.2.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hyperion_financial_management:11.2.6.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from 17.12.0 to 17.12.11 (inclusive)
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from 18.8.0 to 18.8.12 (inclusive)
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:* versions from 19.12.0 to 19.12.11 (inclusive)
cpe:2.3:a:oracle:real-time_decision_server:3.2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:*:*:*:*:*:*:*:* versions from 16.0 to 19.0 (inclusive)
cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
cpe:2.3:o:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*
Tenable Plugins
| ID | Name | Product | Family | Severity |
|---|---|---|---|---|
| 156832 | Oracle Primavera Unifier (Jan 2022 CPU) | Nessus | CGI abuses | critical |
| 154771 | Oracle WebLogic Server Multiple Vulnerabilities (Oct 2021 CPU) | Nessus | Misc. | critical |
| 154332 | Oracle Database Server Multiple Vulnerabilities (October 2021 CPU) | Nessus | Databases | critical |
| 154297 | Oracle Primavera Gateway (Oct 2021 CPU) | Nessus | CGI abuses | high |
| 154267 | Oracle MySQL Enterprise Monitor (Oct 2021 CPU) | Nessus | CGI abuses | high |
| 153835 | RHEL 7 : Red Hat JBoss Enterprise Application Platform 7.4.1 security update on RHEL 7 (Important) (RHSA-2021:3656) | Nessus | Red Hat Local Security Checks | high |
| 153832 | RHEL 8 : Red Hat JBoss Enterprise Application Platform 7.4.1 security update on RHEL 8 (Important) (RHSA-2021:3658) | Nessus | Red Hat Local Security Checks | high |
| 153788 | Ubuntu 18.04 LTS / 20.04 LTS : Apache Commons IO vulnerability (USN-5095-1) | Nessus | Ubuntu Local Security Checks | medium |
| 152662 | Debian DLA-2741-1 : commons-io - LTS security update | Nessus | Debian Local Security Checks | medium |
| 149616 | openSUSE Security Update : apache-commons-io (openSUSE-2021-605) | Nessus | SuSE Local Security Checks | medium |