CVE-2021-29425

Summary

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Commons IOApache Commons IO 2.2affected
Apache Software FoundationApache Commons IOApache Commons IO 2.3affected
Apache Software FoundationApache Commons IOApache Commons IO 2.4affected
Apache Software FoundationApache Commons IOApache Commons IO 2.5affected
Apache Software FoundationApache Commons IOApache Commons IO 2.6affected

Weaknesses

  • CWE-20: CWE-20 Improper Input Validation

Workarounds

Neither the method in question (FileNameUtils.normalize) nor any methods, that invoke it, do actually access any files. There's only a string returned, from which a path can be constructed. In other words, a possible workaround would be not passing any unsafe input to FileNameUtils.normalize. Upgrade to Apache Commons IO 2.7, or later, where the same method returns the value null, as an indication of "invalid input".

ADP Enrichment

CVE Program Container

Additional References

References