apache commons-io CVE-2021-29425 vulnerability in Apache and Other Products
Published on April 13, 2021

Possible limited path traversal vulnerabily in Apache Commons IO

product logo product logo product logo product logo
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

NVD

Weakness Type

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.


Products Associated with CVE-2021-29425

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2021-29425 are published in these products:

Apache Commons Io
 
Apache Pluto
 
Apache Whisker
 
Apache Zookeeper
 
Debian Linux
 
Oracle Communications Application Session Controller
 
Oracle Communications Calendar Server
 
Oracle Communications Converged Application Server Service Controller
 
Oracle Communications Metasolv Solution
 
Oracle Documaker
 
Oracle Goldengate Application Adapters
 
Oracle Hyperion Financial Management
 
Oracle Peoplesoft Enterprise Peopletools
 
Oracle Primavera Gateway
 
Oracle Real Time Decision Server
 
Oracle Retail Customer Management Segmentation Foundation
 
Oracle Weblogic Server
 
Oracle Communications Messaging Server
 
Oracle Access Manager
 
Oracle Application Performance Management
 
Oracle Application Testing Suite
 
Oracle Banking Apis
 
Oracle Banking Digital Experience
 
Oracle Banking Enterprise Default Managment
 
Oracle Banking Party Management
 
Oracle Banking Platform
 
Oracle Commerce Guided Search
 
Oracle Communications Billing Revenue Management Elastic Charging Engine
 
Oracle Communications Cloud Native Core Network Repository Function
 
Oracle Communications Cloud Native Core Unified Data Repository
 
Oracle Communications Convergence
 
Oracle Communications Interactive Session Recorder
 
Oracle Communications Offline Mediation Controller
 
Oracle Communications Service Broker
 
Oracle Enterprise Communications Broker
 
Oracle Enterprise Session Border Controller
 
Oracle Financial Services Analytical Applications Infrastructure
 
Oracle Financial Services Model Management Governance
 
Oracle Fusion Middleware Mapviewer
 
Oracle Oss Support Tools
 
Oracle Primavera Unifier
 
Oracle Real User Experience Insight
 
Oracle Retail Assortment Planning
 
Oracle Retail Integration Bus
 
Oracle Retail Order Broker
 
Oracle Retail Service Backbone
 
Oracle Retail Size Profile Optimization
 
Oracle Utilities Testing Accelerator
 
NetApp Active Iq Unified Manager
 
Oracle Solaris Cluster
 
Oracle Webcenter Portal
 
Oracle Agile Plm
 
Oracle Communications Order Service Management
 
Oracle Insurance Rules Palette
 
Oracle Communications Pricing Design Center
 
Oracle Healthcare Data Repository
 
Oracle Insurance Policy Administration
 
Oracle Blockchain Platform
 
Oracle Communications Cloud Native Core Policy
 
Oracle Communications Contacts Server
 
Oracle Communications Design Studio
 
Oracle Communications Diameter Intelligence Hub
 
Oracle Communications Policy Management
 
Oracle Health Sciences Information Manager
 
Oracle Helidon
 
Oracle Rest Data Services
 
Oracle Banking Enterprise Default Management
 
Oracle Flexcube Core Banking
 
Oracle Retail Merchandising System
 
Oracle Agile Engineering Data Management
 
Oracle Retail Xstore Point Of Service
 
Oracle Retail Pricing
 
Oracle Health Sciences Data Management Workbench
 

Affected Versions

Apache Software Foundation Apache Commons IO:

Exploit Probability

EPSS
0.61%
Percentile
69.20%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.