CVE: 2021-29425 found in Apache Commons IO - Version: 2.2 [JAVA]

[github-actions[bot]]

Veracode Software Composition Analysis

Attribute	Details
Library	Apache Commons IO
Description	The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.
Language	JAVA
Vulnerability	Directory Traversal
Vulnerability description	commons-io is vulnerable to Directory Traversal. Invoking the method FileNameUtils.normalize with a malicious input string would potentially allow access to files within the parent directory.
CVE	2021-29425
CVSS score	5.8
Vulnerability present in version/s	2.2-2.6
Found library version/s	2.2
Vulnerability fixed in version	2.7
Library latest version	2.15.1
Fix

Links:

• https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/122?version=2.2
• https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/29972
• Patch: https://github.com/apache/commons-io/commit/2736b6fe0b3fa22ec8e2b4184897ecadb021fc78

[github-actions[bot]]

Veracode issue link to PR: https://github.com/tsaekao/verademo-java/pull/2

[github-actions[bot]]

Veracode issue link to PR: https://github.com/tsaekao/verademo-java/pull/43