Uploaded image for project: 'Maven Shared Components'
  1. Maven Shared Components
  2. MSHARED-979

maven-shared-components uses commons-io 2.6 which is vulnerable to sonatype-2018-0705

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    Description

      maven-shared-components uses commons-io 2.6 which is vulnerable to sonatype-2018-0705

      ISSUE

      sonatype-2018-0705

      SEVERITY

      Sonatype CVSS 3:7.8
      CVE CVSS 2.0:0.0
       

      EXPLANATION

      The commons-io package is vulnerable to Path Traversal. The getPrefixLength method in FilenameUtils.class improperly verifies the hostname value received from user input before processing client requests. An attacker could abuse this behavior by crafting a special payload containing unexpected characters that could allow the access to unintended resources.

      ROOT CAUSE

      commons-io-2.6.jarorg/apache/commons/io/FilenameUtils.class[1.1 , 2.7-SNAPSHOT)
      org-apache-commons-io-RELEASE113.jarorg/apache/commons/io/FilenameUtils.class[1.1 , 2.7-SNAPSHOT)
       

      ADVISORIES

      Project:https://github.com/apache/commons-io/pull/52
      Project:https://issues.apache.org/jira/browse/IO-556
      Project:https://issues.apache.org/jira/browse/IO-559

      CVSS DETAILS

      Sonatype CVSS 3:7.8
      CVSS Vector:CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

      Attachments

        Issue Links

        depends upon

        Dependency upgrade - Upgrading a dependency to a newer version MSHARED-1110 Upgrade components

        • Major - Major loss of function.
        • Closed
        is cloned by

        Bug - A problem which impairs or prevents the functions of the product. MSHARED-992 maven-shared-components uses commons-io 2.5 which is vulnerable

        • Major - Major loss of function.
        • Closed
        is duplicated by

        Bug - A problem which impairs or prevents the functions of the product. MSHARED-992 maven-shared-components uses commons-io 2.5 which is vulnerable

        • Major - Major loss of function.
        • Closed

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            michael-o Michael Osipov
            scott.marshall.snc Scott Marshall
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment