René's URL Explorer Experiment

{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"CVE-2021-29425 (Medium) detected in commons-io-1.3.2.jar","articleBody":"## CVE-2021-29425 - Medium Severity Vulnerability\n\u003cdetails\u003e\u003csummary\u003e\u003cimg src='https://whitesource-resources.whitesourcesoftware.com/vulnerability_details.png' width=19 height=20\u003e Vulnerable Library - \u003cb\u003ecommons-io-1.3.2.jar\u003c/b\u003e\u003c/p\u003e\u003c/summary\u003e\n\n\u003cp\u003eCommons-IO contains utility classes, stream implementations, file filters, and endian classes.\u003c/p\u003e\n\u003cp\u003ePath to dependency file: /pom.xml\u003c/p\u003e\n\u003cp\u003ePath to vulnerable library: /canner/.m2/repository/commons-io/commons-io/1.3.2/commons-io-1.3.2.jar\u003c/p\u003e\n\u003cp\u003e\n\nDependency Hierarchy:\n  - :x: **commons-io-1.3.2.jar** (Vulnerable Library)\n\u003cp\u003eFound in base branch: \u003cb\u003emaster\u003c/b\u003e\u003c/p\u003e\n\u003c/p\u003e\n\u003c/details\u003e\n\u003cp\u003e\u003c/p\u003e\n\u003cdetails\u003e\u003csummary\u003e\u003cimg src='https://whitesource-resources.whitesourcesoftware.com/medium_vul.png?' width=19 height=20\u003e Vulnerability Details\u003c/summary\u003e\n\u003cp\u003e  \n  \nIn Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like \"//../foo\", or \"\\\\..\\foo\", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus \"limited\" path traversal), if the calling code would use the result to construct a path value.\n\n\u003cp\u003ePublish Date: 2021-04-13\n\u003cp\u003eURL: \u003ca href=https://www.mend.io/vulnerability-database/CVE-2021-29425\u003eCVE-2021-29425\u003c/a\u003e\u003c/p\u003e\n\u003c/p\u003e\n\u003c/details\u003e\n\u003cp\u003e\u003c/p\u003e\n\u003cdetails\u003e\u003csummary\u003e\u003cimg src='https://whitesource-resources.whitesourcesoftware.com/cvss3.png' width=19 height=20\u003e CVSS 3 Score Details (\u003cb\u003e4.8\u003c/b\u003e)\u003c/summary\u003e\n\u003cp\u003e\n\nBase Score Metrics:\n- Exploitability Metrics:\n  - Attack Vector: Network\n  - Attack Complexity: High\n  - Privileges Required: None\n  - User Interaction: None\n  - Scope: Unchanged\n- Impact Metrics:\n  - Confidentiality Impact: Low\n  - Integrity Impact: Low\n  - Availability Impact: None\n\u003c/p\u003e\nFor more information on CVSS3 Scores, click \u003ca href=\"https://www.first.org/cvss/calculator/3.0\"\u003ehere\u003c/a\u003e.\n\u003c/p\u003e\n\u003c/details\u003e\n\u003cp\u003e\u003c/p\u003e\n\u003cdetails\u003e\u003csummary\u003e\u003cimg src='https://whitesource-resources.whitesourcesoftware.com/suggested_fix.png' width=19 height=20\u003e Suggested Fix\u003c/summary\u003e\n\u003cp\u003e\n\n\u003cp\u003eType: Upgrade version\u003c/p\u003e\n\u003cp\u003eOrigin: \u003ca href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425\"\u003ehttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eRelease Date: 2021-04-13\u003c/p\u003e\n\u003cp\u003eFix Resolution: 2.7\u003c/p\u003e\n\n\u003c/p\u003e\n\u003c/details\u003e\n\u003cp\u003e\u003c/p\u003e\n\n***\nStep up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)","author":{"url":"https://github.com/mend-bolt-for-github[bot]","@type":"Person","name":"mend-bolt-for-github[bot]"},"datePublished":"2023-01-07T01:22:19.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/7/browserstack-local-java/issues/7"}