Uploaded image for project: 'Maven Shared Components'
  1. Maven Shared Components
  2. MSHARED-979

maven-shared-components uses commons-io 2.6 which is vulnerable to sonatype-2018-0705

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: maven-shared-utils-3.3.3
    • Fix Version/s: None
    • Component/s: maven-shared-utils
    • Labels:

      Description

      maven-shared-components uses commons-io 2.6 which is vulnerable to sonatype-2018-0705

      ISSUE

      sonatype-2018-0705

      SEVERITY

      Sonatype CVSS 3:7.8
      CVE CVSS 2.0:0.0
       

      EXPLANATION

      The commons-io package is vulnerable to Path Traversal. The getPrefixLength method in FilenameUtils.class improperly verifies the hostname value received from user input before processing client requests. An attacker could abuse this behavior by crafting a special payload containing unexpected characters that could allow the access to unintended resources.

      ROOT CAUSE

      commons-io-2.6.jarorg/apache/commons/io/FilenameUtils.class[1.1 , 2.7-SNAPSHOT)
      org-apache-commons-io-RELEASE113.jarorg/apache/commons/io/FilenameUtils.class[1.1 , 2.7-SNAPSHOT)
       

      ADVISORIES

      Project:https://github.com/apache/commons-io/pull/52
      Project:https://issues.apache.org/jira/browse/IO-556
      Project:https://issues.apache.org/jira/browse/IO-559

      CVSS DETAILS

      Sonatype CVSS 3:7.8
      CVSS Vector:CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                scott.marshall.snc Scott Marshall
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: