Lucene search

K
amazonAmazonALAS2-2023-2059
HistoryMay 25, 2023 - 5:41 p.m.

Medium: apache-commons-io

2023-05-2517:41:00
alas.aws.amazon.com
18
apache commons io
path traversal
vulnerability
amazon linux 2
update
cve-2021-29425
red hat
mitre

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

AI Score

7

Confidence

High

EPSS

0.002

Percentile

57.2%

Issue Overview:

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like “//…/foo”, or “\\…\foo”, the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus “limited” path traversal), if the calling code would use the result to construct a path value. (CVE-2021-29425)

Affected Packages:

apache-commons-io

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update apache-commons-io to update your system.

New Packages:

noarch:  
    apache-commons-io-2.4-12.amzn2.0.1.noarch  
    apache-commons-io-javadoc-2.4-12.amzn2.0.1.noarch  
  
src:  
    apache-commons-io-2.4-12.amzn2.0.1.src  

Additional References

Red Hat: CVE-2021-29425

Mitre: CVE-2021-29425

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

AI Score

7

Confidence

High

EPSS

0.002

Percentile

57.2%