GHSA-gwrp-pvrq-jmwv

Suggest an improvement
Source
https://github.com/advisories/GHSA-gwrp-pvrq-jmwv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-gwrp-pvrq-jmwv
Aliases
Published
2021-04-26T16:04:00Z
Modified
2024-03-12T05:31:30.961796Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
Path Traversal and Improper Input Validation in Apache Commons IO
Details

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

Database specific
{
    "nvd_published_at": "2021-04-13T07:15:00Z",
    "cwe_ids": [
        "CWE-20",
        "CWE-22"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-26T15:21:31Z"
}
References

Affected packages

Maven / commons-io:commons-io

Package

Name
commons-io:commons-io
View open source insights on deps.dev
Purl
pkg:maven/commons-io/commons-io

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.7

Affected versions

0.*

0.1

1.*

1.0
1.1
1.2
1.3
1.3.1
1.3.2
1.4

2.*

2.0
2.0.1
2.1
2.2
2.3
2.4
2.5
2.6

Maven / com.cosium.vet:vet

Package

Name
com.cosium.vet:vet
View open source insights on deps.dev
Purl
pkg:maven/com.cosium.vet/vet

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0
Last affected
3.22

Affected versions

1.*

1.0
1.1
1.2
1.3
1.4
1.5
1.11
1.12
1.13

2.*

2.2
2.3
2.6
2.7
2.8
2.9

3.*

3.0
3.10
3.11
3.12
3.13
3.14
3.15
3.16
3.17
3.18
3.19
3.22

Maven / com.diamondq.common:common-thirdparty.jcasbin

Package

Name
com.diamondq.common:common-thirdparty.jcasbin
View open source insights on deps.dev
Purl
pkg:maven/com.diamondq.common/common-thirdparty.jcasbin

Affected ranges

Affected versions

1.*

1.4.0

Maven / com.liferay:com.liferay.sass.compiler.jsass

Package

Name
com.liferay:com.liferay.sass.compiler.jsass
View open source insights on deps.dev
Purl
pkg:maven/com.liferay/com.liferay.sass.compiler.jsass

Affected ranges

Affected versions

1.*

1.0.1

Maven / com.virjar:ratel-api

Package

Name
com.virjar:ratel-api
View open source insights on deps.dev
Purl
pkg:maven/com.virjar/ratel-api

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0.0
Last affected
1.3.6

Affected versions

1.*

1.0.0
1.1.0
1.2.0
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6

Maven / net.hasor:cobble-lang

Package

Name
net.hasor:cobble-lang
View open source insights on deps.dev
Purl
pkg:maven/net.hasor/cobble-lang

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.4.1
Last affected
4.6.2

Affected versions

4.*

4.4.1
4.4.2
4.5.0
4.5.1
4.5.2
4.5.3
4.5.4
4.6.0
4.6.1
4.6.2

Maven / org.apache.commons:commons-io

Package

Name
org.apache.commons:commons-io
View open source insights on deps.dev
Purl
pkg:maven/org.apache.commons/commons-io

Affected ranges

Affected versions

1.*

1.3.2

Maven / org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-io

Package

Name
org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-io
View open source insights on deps.dev
Purl
pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.commons-io

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.4
Last affected
1.5

Affected versions

1.*

1.4_1
1.4_2
1.4_3

Maven / org.checkerframework.annotatedlib:commons-io

Package

Name
org.checkerframework.annotatedlib:commons-io
View open source insights on deps.dev
Purl
pkg:maven/org.checkerframework.annotatedlib/commons-io

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6
Fixed
2.7

Affected versions

2.*

2.6
2.6.0.1

Maven / org.smartboot.servlet:servlet-core

Package

Name
org.smartboot.servlet:servlet-core
View open source insights on deps.dev
Purl
pkg:maven/org.smartboot.servlet/servlet-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.1.9
Last affected
0.6

Affected versions

0.*

0.1.9
0.2
0.2.1
0.3
0.3.1
0.4
0.5
0.6