Описание
Security update for apache-commons-io
This update for apache-commons-io fixes the following issues:
- CVE-2021-29425: Limited path traversal when invoking the method FileNameUtils.normalize with an improper input string (bsc#1184755)
Список пакетов
Container bci/openjdk-devel:11
apache-commons-io-2.6-3.3.1
Container bci/openjdk-devel:17
apache-commons-io-2.6-3.3.1
Container bci/openjdk-devel:latest
apache-commons-io-2.6-3.3.1
Container containers/apache-pulsar:3.3
apache-commons-io-2.6-3.3.1
Container suse/manager/5.0/x86_64/server:latest
apache-commons-io-2.6-3.3.1
Container suse/multi-linux-manager/5.1/x86_64/server:latest
apache-commons-io-2.6-3.3.1
Image SLES15-SP2-Manager-4-1-Server-BYOS-Azure
apache-commons-io-2.6-3.3.1
Image SLES15-SP2-Manager-4-1-Server-BYOS-EC2-HVM
apache-commons-io-2.6-3.3.1
Image SLES15-SP2-Manager-4-1-Server-BYOS-GCE
apache-commons-io-2.6-3.3.1
Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure
apache-commons-io-2.6-3.3.1
Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM
apache-commons-io-2.6-3.3.1
Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE
apache-commons-io-2.6-3.3.1
Image SLES15-SP4-Manager-Server-4-3
apache-commons-io-2.6-3.3.1
Image SLES15-SP4-Manager-Server-4-3-Azure-llc
apache-commons-io-2.6-3.3.1
Image SLES15-SP4-Manager-Server-4-3-Azure-ltd
apache-commons-io-2.6-3.3.1
Image SLES15-SP4-Manager-Server-4-3-BYOS
apache-commons-io-2.6-3.3.1
Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure
apache-commons-io-2.6-3.3.1
Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2
apache-commons-io-2.6-3.3.1
Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE
apache-commons-io-2.6-3.3.1
Image SLES15-SP4-Manager-Server-4-3-EC2-llc
apache-commons-io-2.6-3.3.1
Image SLES15-SP4-Manager-Server-4-3-EC2-ltd
apache-commons-io-2.6-3.3.1
SUSE Linux Enterprise Module for Basesystem 15 SP2
apache-commons-io-2.6-3.3.1
Ссылки
- Link for SUSE-SU-2021:1282-1
- E-Mail link for SUSE-SU-2021:1282-1
- SUSE Security Ratings
- SUSE Bug 1184755
- SUSE CVE CVE-2021-29425 page
Описание
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
Затронутые продукты
Container bci/openjdk-devel:11:apache-commons-io-2.6-3.3.1
Container bci/openjdk-devel:17:apache-commons-io-2.6-3.3.1
Container bci/openjdk-devel:latest:apache-commons-io-2.6-3.3.1
Container containers/apache-pulsar:3.3:apache-commons-io-2.6-3.3.1
Ссылки
- CVE-2021-29425
- SUSE Bug 1184755