CVE-2021-29425

CVSS v2.0

5.8

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions Apache Commons IO versions prior to 2.7

Description The issue is related to the FileNameUtils.normalize method in Apache Commons IO, which incorrectly handles directory traversal sequences such as "//../foo" or "..foo". This could allow a remote attacker to gain unauthorized access to protected information by potentially providing access to files in the parent directory, but not further above, thus "limited" path traversal.

Recommendations For Apache Commons IO versions prior to 2.7, update to version 2.7 or later to resolve the issue. As a temporary workaround, consider validating input strings to the FileNameUtils.normalize method to prevent improper input, such as "//../foo" or "..foo", from being processed. Restrict access to sensitive files and directories to minimize the risk of exploitation.

Exploit

Fix

RCE

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-22

Related Identifiers

ALT-PU-2017-3596

ALT-PU-2017-3597

ALT-PU-2021-4854

BDU:2021-02220

CVE-2021-29425

DLA-2741-1

GHSA-GWRP-PVRQ-JMWV

OESA-2021-1182

OPENSUSE-SU-2021:0605-1

OPENSUSE-SU-2021_0605-1

OPENSUSE-SU-2024:12099-1

RHSA-2021:3466

RHSA-2021:3467

RHSA-2021:3468

RHSA-2021:3656

RHSA-2021:3658

SUSE-SU-2021:1282-1

SUSE-SU-2021:1315-1

SUSE-SU-2021_1282-1

SUSE-SU-2021_1315-1

USN-5095-1

Affected Products

Alt Linux

Apache Commons Io

Astra Linux

Linuxmint

Oracle Weblogic Server

Suse

Ubuntu

CVE-2021-29425

Weakness Enumeration

Related Identifiers

Affected Products

References · 134