[MSHARED-979] maven-shared-components uses commons-io 2.6 which is vulnerable to sonatype-2018-0705 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: maven-shared-utils-3.3.3
Fix Version/s: maven-shared-utils-4.0.0
Component/s: maven-shared-utils
Labels:
- Java8

Description

maven-shared-components uses commons-io 2.6 which is vulnerable to sonatype-2018-0705

ISSUE

sonatype-2018-0705

SEVERITY

Sonatype CVSS 3:7.8
CVE CVSS 2.0:0.0

EXPLANATION

The commons-io package is vulnerable to Path Traversal. The getPrefixLength method in FilenameUtils.class improperly verifies the hostname value received from user input before processing client requests. An attacker could abuse this behavior by crafting a special payload containing unexpected characters that could allow the access to unintended resources.

ROOT CAUSE

commons-io-2.6.jarorg/apache/commons/io/FilenameUtils.class[1.1 , 2.7-SNAPSHOT)
org-apache-commons-io-RELEASE113.jarorg/apache/commons/io/FilenameUtils.class[1.1 , 2.7-SNAPSHOT)

ADVISORIES

Project:https://github.com/apache/commons-io/pull/52
Project:https://issues.apache.org/jira/browse/IO-556
Project:https://issues.apache.org/jira/browse/IO-559

CVSS DETAILS

Sonatype CVSS 3:7.8
CVSS Vector:CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attachments

Issue Links

depends upon

MSHARED-1110 Upgrade components

Closed

is cloned by

MSHARED-992 maven-shared-components uses commons-io 2.5 which is vulnerable

Closed

is duplicated by

MSHARED-992 maven-shared-components uses commons-io 2.5 which is vulnerable

Closed

Activity

People

Assignee:: Michael Osipov

Reporter:: Scott Marshall

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 17/Feb/21 23:12

Updated:: 25/Jul/22 17:06

Resolved:: 25/Jul/22 17:06