Описание
ELSA-2025-10548: apache-commons-vfs security update (MODERATE)
[2.0-11.0.1]
- Simplify UriParser [Orabug: 38161936][CVE-2025-27553]
Обновленные пакеты
Oracle Linux 7
Oracle Linux x86_64
apache-commons-vfs
2.0-11.0.1.el7
apache-commons-vfs-ant
2.0-11.0.1.el7
apache-commons-vfs-examples
2.0-11.0.1.el7
apache-commons-vfs-javadoc
2.0-11.0.1.el7
Связанные CVE
Связанные уязвимости
Relative Path Traversal vulnerability in Apache Commons VFS before 2.10.0. The FileObject API in Commons VFS has a 'resolveFile' method that takes a 'scope' parameter. Specifying 'NameScope.DESCENDENT' promises that "an exception is thrown if the resolved file is not a descendent of the base file". However, when the path contains encoded ".." characters (for example, "%2E%2E/bar.txt"), it might return file objects that are not a descendent of the base file, without throwing an exception. This issue affects Apache Commons VFS: before 2.10.0. Users are recommended to upgrade to version 2.10.0, which fixes the issue.
Relative Path Traversal vulnerability in Apache Commons VFS before 2.10.0. The FileObject API in Commons VFS has a 'resolveFile' method that takes a 'scope' parameter. Specifying 'NameScope.DESCENDENT' promises that "an exception is thrown if the resolved file is not a descendent of the base file". However, when the path contains encoded ".." characters (for example, "%2E%2E/bar.txt"), it might return file objects that are not a descendent of the base file, without throwing an exception. This issue affects Apache Commons VFS: before 2.10.0. Users are recommended to upgrade to version 2.10.0, which fixes the issue.
Relative Path Traversal vulnerability in Apache Commons VFS before 2.10.0. The FileObject API in Commons VFS has a 'resolveFile' method that takes a 'scope' parameter. Specifying 'NameScope.DESCENDENT' promises that "an exception is thrown if the resolved file is not a descendent of the base file". However, when the path contains encoded ".." characters (for example, "%2E%2E/bar.txt"), it might return file objects that are not a descendent of the base file, without throwing an exception. This issue affects Apache Commons VFS: before 2.10.0. Users are recommended to upgrade to version 2.10.0, which fixes the issue.
Relative Path Traversal vulnerability in Apache Commons VFS before 2.1 ...
Apache Commons VFS Has Relative Path Traversal Vulnerability