CVE-2021-29425
Last modified
CVE-2021-29425 is a medium-severity vulnerability rated 4.8/10 on the CVSS scale. In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.. EPSS estimates a 10.61% chance of exploitation in the next 30 days.
Description
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Commons Io | 2.2 |
| Apache | Commons Io | 2.3 |
| Apache | Commons Io | 2.4 |
| Apache | Commons Io | 2.5 |
| Apache | Commons Io | 2.6 |
| Debian | Debian Linux | 9.0 |
| Oracle | Access Manager | 11.1.2.3.0 |
| Oracle | Access Manager | 12.2.1.3.0 |
| Oracle | Access Manager | 12.2.1.4.0 |
| Oracle | Agile Engineering Data Management | 6.2.1.0 |
| Oracle | Agile Plm | 9.3.6 |
| Oracle | Application Performance Management | 13.4.1.0 |
| Oracle | Application Performance Management | 13.5.1.0 |
| Oracle | Application Testing Suite | 13.3.0.1 |
| Oracle | Banking Apis | 18.1 |
| Oracle | Banking Apis | 18.2 |
| Oracle | Banking Apis | 18.3 |
| Oracle | Banking Apis | 19.1 |
| Oracle | Banking Apis | 19.2 |
| Oracle | Banking Apis | 20.1 |
| Oracle | Banking Apis | 21.1 |
| Oracle | Banking Digital Experience | 17.2 |
| Oracle | Banking Digital Experience | 18.1 |
| Oracle | Banking Digital Experience | 18.3 |
| Oracle | Banking Digital Experience | 19.1 |
| Oracle | Banking Digital Experience | 19.2 |
| Oracle | Banking Digital Experience | 20.1 |
| Oracle | Banking Digital Experience | 21.1 |
| Oracle | Banking Enterprise Default Management | 2.6.2 |
| Oracle | Banking Enterprise Default Management | 2.7.0 |
| Oracle | Banking Enterprise Default Management | 2.7.1 |
| Oracle | Banking Enterprise Default Management | 2.10.0 |
| Oracle | Banking Enterprise Default Management | 2.12.0 |
| Oracle | Banking Enterprise Default Managment | >= 2.3.0, <= 2.4.0 |
| Oracle | Banking Party Management | 2.7.0 |
| Oracle | Banking Platform | >= 2.3.0, <= 2.4.1 |
| Oracle | Banking Platform | 2.6.2 |
| Oracle | Banking Platform | 2.7.0 |
| Oracle | Banking Platform | 2.7.1 |
| Oracle | Blockchain Platform | < 21.1.2 |
| Oracle | Commerce Guided Search | 11.3.2 |
| Oracle | Communications Application Session Controller | 3.9.0 |
| Oracle | Communications Billing And Revenue Management Elastic Charging Engine | 11.3 |
| Oracle | Communications Billing And Revenue Management Elastic Charging Engine | 12.0 |
| Oracle | Communications Cloud Native Core Network Repository Function | 1.14.0 |
| Oracle | Communications Cloud Native Core Policy | 1.14.0 |
| Oracle | Communications Cloud Native Core Unified Data Repository | 1.4.0 |
| Oracle | Communications Contacts Server | 8.0.0.6.0 |
| Oracle | Communications Converged Application Server - Service Controller | 6.2 |
| Oracle | Communications Convergence | 3.0.2.2.0 |
Showing 50 of 134 affected configurations. See NVD for the full list.
References
- https://issues.apache.org/jira/browse/IO-556Exploit, Issue Tracking, Vendor Advisory
- https://lists.debian.org/debian-lts-announce/2021/08/msg00016.htmlMailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20220210-0004/Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlThird Party Advisory
- https://issues.apache.org/jira/browse/IO-556Exploit, Issue Tracking, Vendor Advisory
- https://lists.debian.org/debian-lts-announce/2021/08/msg00016.htmlMailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20220210-0004/Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlThird Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-29425?
How severe is CVE-2021-29425?
How do I fix CVE-2021-29425?
Are you affected by CVE-2021-29425?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST