Описание
Security update for apache-commons-vfs2
This update for apache-commons-vfs2 fixes the following issues:
- CVE-2025-27553: Fixed possible path traversal issue when using NameScope.DESCENDENT (bsc#1239973)
- CVE-2025-30474: Fixed information disclosure due to failing to find an FTP file reveal the URI's password in an error message (bsc#1239974)
Other fixes:
- Upgrade to upstream version 2.10.0
Список пакетов
openSUSE Leap 15.6
Ссылки
- Link for SUSE-SU-2025:1022-1
- E-Mail link for SUSE-SU-2025:1022-1
- SUSE Security Ratings
- SUSE Bug 1239973
- SUSE Bug 1239974
- SUSE CVE CVE-2025-27553 page
- SUSE CVE CVE-2025-30474 page
Описание
Relative Path Traversal vulnerability in Apache Commons VFS before 2.10.0. The FileObject API in Commons VFS has a 'resolveFile' method that takes a 'scope' parameter. Specifying 'NameScope.DESCENDENT' promises that "an exception is thrown if the resolved file is not a descendent of the base file". However, when the path contains encoded ".." characters (for example, "%2E%2E/bar.txt"), it might return file objects that are not a descendent of the base file, without throwing an exception. This issue affects Apache Commons VFS: before 2.10.0. Users are recommended to upgrade to version 2.10.0, which fixes the issue.
Затронутые продукты
Ссылки
- CVE-2025-27553
- SUSE Bug 1239973
Описание
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Commons VFS. The FtpFileObject class can throw an exception when a file is not found, revealing the original URI in its message, which may include a password. The fix is to mask the password in the exception message This issue affects Apache Commons VFS: before 2.10.0. Users are recommended to upgrade to version 2.10.0, which fixes the issue.
Затронутые продукты
Ссылки
- CVE-2025-30474
- SUSE Bug 1239974