CVE-2021-29425
moderate-risk
Published 2021-04-13
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
Do I need to act?
-
0.48% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.8/10
Medium
NETWORK
/ HIGH complexity
Affected Products (20)
Commons Io
Commons Io
Commons Io
Commons Io
Commons Io
Application Performance Management
Application Performance Management
Banking Apis
Banking Apis
Banking Apis
Banking Apis
Banking Apis
Banking Apis
References (94)
and 74 more references
49
/ 100
moderate-risk
Severity
15/34 · Moderate
Exploitability
2/34 · Minimal
Exposure
32/34 · Critical