Uploaded image for project: 'Apache Drill'
  1. Apache Drill
  2. DRILL-7910

Bumps commons-io from 2.4 to 2.7

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.18.0
    • Fix Version/s: 1.19.0
    • Component/s: None
    • Labels:
      None

      Description

      This fix addresses CVE-2021-29425.

      In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

      Simple solution is to update the library.

        Attachments

          Activity

            People

            • Assignee:
              cgivre Charles Givre
              Reporter:
              cgivre Charles Givre
              Reviewer:
              Cong Luo
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: