CVE: 0000-0000 found in Apache Commons IO - Version: 2.4 [JAVA]

[github-actions[bot]]

Veracode Software Composition Analysis

Attribute	Details
Library	Apache Commons IO
Description	The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.
Language	JAVA
Vulnerability	Remote Code Execution (RCE) Via Java Object Deserialization
Vulnerability description	commons-io is vulnerable to remote code execution (RCE) attacks. These attacks are possible because the library doesn't restrict the classes which can be accepted when deserializing a binary.
CVE	null
CVSS score	5.1
Vulnerability present in version/s	1.0-2.4
Found library version/s	2.4
Vulnerability fixed in version	2.5
Library latest version	2.15.1
Fix

Links:

• https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/122?version=2.4
• https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/5295
• Patch: https://github.com/apache/commons-io/compare/a2db8ea72a65d862ff8250e165f6789e9f0df1cb...c65777acf65ee83967ca394adb6619330be9790f

[github-actions[bot]]

Veracode issue link to PR: https://github.com/veracode-repository-ruleset/verademo-java-maven/pull/54