Severity
4.8
Medium severity
Details
- CVSS score
- 4.8
- CVSS vector
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
- CWE ID
Overview
About vulnerability
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like “//../foo”, or “\..\foo”, the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus “limited” path traversal), if the calling code would use the result to construct a path value.Details
- Affected product:
- Apache Commons , Apache Hadoop , Apache Hive , Apache Lucene , Apache Maven , Apache Spark , Apache Struts , Apache Tapestry , Apache Velocity , Eclipse Jetty , Hibernate , Plexus , Spring , Wildfly , accumulo , activemq , agepredictor , avro , bookkeeper-common-allocator , cocoon , creadur-rat , cxf , docx4j , dropwizard-metrics-hadoop-metrics2-reporter , elasticsearch , fastexcel , file-management , flume-ng-core , gradle , hbase , htmlunit , jackrabbit , james-mime4j , jasperreports , java-opensaml , jhighlight , karaf , kotlin , less4j , littleproxy , logging-flume , logging-log4j2 , lucene , maven , narayana , neo4j-ogm , org.ops4j.pax.url , poi , pulsar , resteasy , shadow , solr , tika , webdrivermanager , wildfly , xmlgraphics-batik , xmlgraphics-commons , xmlgraphics-fop
- Affected packages:
- spring-boot-security-test-web-helloworld @ 1.5.22.RELEASE (+3647 more)