PublicDateAtUSN: 2021-04-13 07:15:00 UTC
Candidate: CVE-2021-29425
PublicDate: 2021-04-13 07:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425
 https://www.openwall.com/lists/oss-security/2021/04/12/1
 https://issues.apache.org/jira/browse/IO-556
 https://ubuntu.com/security/notices/USN-5095-1
Description:
 In Apache Commons IO before 2.7, When invoking the method
 FileNameUtils.normalize with an improper input string, like "//../foo", or
 "\\..\foo", the result would be the same value, thus possibly providing
 access to files in the parent directory, but not further above (thus
 "limited" path traversal), if the calling code would use the result to
 construct a path value.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to: leosilva
CVSS:
 nvd: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N [4.8 MEDIUM]


Patches_commons-io:
upstream_commons-io: released (2.8.0-1)
precise/esm_commons-io: DNE
trusty_commons-io: ignored (out of standard support)
trusty/esm_commons-io: released (2.4-2ubuntu0.1~esm1)
xenial_commons-io: ignored (end of standard support, was needed)
bionic_commons-io: released (2.6-2ubuntu0.18.04.1)
focal_commons-io: released (2.6-2ubuntu0.20.04.1)
groovy_commons-io: ignored (reached end-of-life)
hirsute_commons-io: not-affected (2.8.0-1)
impish_commons-io: not-affected (2.8.0-1)
jammy_commons-io: not-affected (2.8.0-1)
devel_commons-io: not-affected (2.8.0-1)