vulnerability found in commons-io:commons-io

[JavaEcosystemStudy]

Hi! We spot a vulnerable dependency in your project, which might threaten your software. And we found that the vulnerable function of this CVE can be easily accessed from your software, there is no constraint along the invocation path to the vulnerable function.

• CVE_ID: CVE-2021-29425
• Vulnerable dependency: commons-io:commons-io
• Your invocation path to the vulnerable method:

  com.pinterest.singer.common.LogStream:<init>(com.pinterest.singer.common.SingerLog,java.lang.String)
  ⬇️
  org.apache.commons.io.FilenameUtils:concat(java.lang.String,java.lang.String)
  ⬇️
  org.apache.commons.io.FilenameUtils:getPrefixLength(java.lang.String)

Therefore, may be you need to upgrade this dependency. Hope this can help you! 😄

[ambud]

Thanks for reporting this