CVE-2021-29425

MEDIUM

Apache Commons IO < 2.4.0 - Path Traversal

Title source: rule

Description

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

Exploits (2)

nomisec WRITEUP

by shoucheng3 · poc

https://github.com/shoucheng3/asf__commons-io_CVE-2021-29425_2-6

View Code ZIP pw:eip

nomisec WORKING POC

by arsalanraja987 · poc

https://github.com/arsalanraja987/java-cve-2021-29425-tika-xxe

View Code ZIP pw:eip

References (47)

[Exploit, Issue Tracking, Vendor Advisory] https://issues.apache.org/jira/browse/IO-556

[Mailing List] https://lists.apache.org/thread.html/r01b4a1fcdf3311c936ce33d75a9398b6c255f00c1a2f312ac21effe1%40%3Cnotifications.zookeeper.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r0bfa8f7921abdfae788b1f076a12f73a92c93cc0a6e1083bce0027c5%40%3Cnotifications.zookeeper.apache.org%3E

[Mailing List, Vendor Advisory] https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2021/08/msg00016.html

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20220210-0004/

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuapr2022.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpujan2022.html

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpujul2022.html

[Third Party Advisory] https://www.oracle.com/security-alerts/cpuoct2021.html

[Mailing List] https://lists.apache.org/thread.html/r0d73e2071d1f1afe1a15da14c5b6feb2cf17e3871168d5a3c8451436%40%3Ccommits.pulsar.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r1c2f4683c35696cf6f863e3c107e37ec41305b1930dd40c17260de71%40%3Ccommits.pulsar.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r20416f39ca7f7344e7d76fe4d7063bb1d91ad106926626e7e83fb346%40%3Cnotifications.zookeeper.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r2345b49dbffa8a5c3c589c082fe39228a2c1d14f11b96c523da701db%40%3Cnotifications.zookeeper.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r27b1eedda37468256c4bb768fde1e8b79b37ec975cbbfd0d65a7ac34%40%3Cdev.myfaces.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r2bc986a070457daca457a54fe71ee09d2584c24dc262336ca32b6a19%40%3Cdev.creadur.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r2df50af2641d38f432ef025cd2ba5858215cc0cf3fc10396a674ad2e%40%3Cpluto-scm.portals.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r345330b7858304938b7b8029d02537a116d75265a598c98fa333504a%40%3Cdev.creadur.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r4050f9f6b42ebfa47a98cbdee4aabed4bb5fb8093db7dbb88faceba2%40%3Ccommits.zookeeper.apache.org%3E

... and 27 more

Scores

CVSS v3 4.8

EPSS 0.0049

EPSS Percentile 65.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Details

CWE

CWE-22 CWE-20

Status published

Products (48)

apache/commons_io 2.2

apache/commons_io 2.3

apache/commons_io 2.4

apache/commons_io 2.5

apache/commons_io 2.6

com.cosium.vet/vet 1.0Maven

com.diamondq.common/common-thirdparty.jcasbin Maven

com.liferay/com.liferay.sass.compiler.jsass Maven

commons-io/commons-io 0 - 2.7Maven

com.virjar/ratel-api 1.0.0Maven

... and 38 more

Published Apr 13, 2021

Tracked Since Feb 18, 2026