Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

CVE-2021-29425

Disclosure Date: April 13, 2021
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like “//../foo”, or “\..\foo”, the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus “limited” path traversal), if the calling code would use the result to construct a path value.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
4.8 Medium
Impact Score:
2.5
Exploitability Score:
2.2
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
High
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
Low
Integrity (I):
Low
Availability (A):
None

General Information

Vendors

  • apache,
  • debian,
  • netapp,
  • oracle

Products

  • access manager 11.1.2.3.0,
  • access manager 12.2.1.3.0,
  • access manager 12.2.1.4.0,
  • active iq unified manager -,
  • agile engineering data management 6.2.1.0,
  • agile plm 9.3.6,
  • application performance management 13.4.1.0,
  • application performance management 13.5.1.0,
  • application testing suite 13.3.0.1,
  • banking apis 18.1,
  • banking apis 18.2,
  • banking apis 18.3,
  • banking apis 19.1,
  • banking apis 19.2,
  • banking apis 20.1,
  • banking apis 21.1,
  • banking digital experience 17.2,
  • banking digital experience 18.1,
  • banking digital experience 18.3,
  • banking digital experience 19.1,
  • banking digital experience 19.2,
  • banking digital experience 20.1,
  • banking digital experience 21.1,
  • banking enterprise default management 2.10.0,
  • banking enterprise default management 2.12.0,
  • banking enterprise default management 2.6.2,
  • banking enterprise default management 2.7.0,
  • banking enterprise default management 2.7.1,
  • banking enterprise default managment,
  • banking party management 2.7.0,
  • banking platform,
  • banking platform 2.6.2,
  • banking platform 2.7.0,
  • banking platform 2.7.1,
  • blockchain platform,
  • commerce guided search 11.3.2,
  • commons io 2.2,
  • commons io 2.3,
  • commons io 2.4,
  • commons io 2.5,
  • commons io 2.6,
  • communications application session controller 3.9.0,
  • communications billing and revenue management elastic charging engine 11.3,
  • communications billing and revenue management elastic charging engine 12.0,
  • communications cloud native core network repository function 1.14.0,
  • communications cloud native core policy 1.14.0,
  • communications cloud native core unified data repository 1.4.0,
  • communications contacts server 8.0.0.6.0,
  • communications converged application server - service controller 6.2,
  • communications convergence 3.0.2.2.0,
  • communications design studio,
  • communications design studio 7.3.5,
  • communications diameter intelligence hub,
  • communications interactive session recorder 6.3,
  • communications interactive session recorder 6.4,
  • communications offline mediation controller 12.0.0.3,
  • communications order and service management 7.3,
  • communications order and service management 7.4,
  • communications policy management 12.5.0.0.0,
  • communications pricing design center 12.0.0.4.0,
  • communications pricing design center 12.0.0.5.0,
  • communications service broker 6.2,
  • debian linux 9.0,
  • enterprise communications broker 3.3,
  • enterprise session border controller 8.4,
  • enterprise session border controller 9.0,
  • financial services analytical applications infrastructure,
  • financial services model management and governance,
  • flexcube core banking,
  • flexcube core banking 11.10.0,
  • flexcube core banking 5.2.0,
  • fusion middleware mapviewer 12.2.1.4.0,
  • health sciences data management workbench 2.5.2.1,
  • health sciences data management workbench 3.0.0.0,
  • health sciences information manager,
  • healthcare data repository 8.1.0,
  • helidon 1.4.7,
  • helidon 2.2.0,
  • insurance policy administration 11.0.2,
  • insurance policy administration 11.1.0,
  • insurance policy administration 11.2.8,
  • insurance policy administration 11.3.0,
  • insurance policy administration 11.3.1,
  • insurance rules palette 11.0.2,
  • insurance rules palette 11.1.0,
  • insurance rules palette 11.2.8,
  • insurance rules palette 11.3.0,
  • insurance rules palette 11.3.1,
  • oss support tools,
  • primavera unifier,
  • primavera unifier 18.8,
  • primavera unifier 19.12,
  • primavera unifier 20.12,
  • primavera unifier 21.12,
  • real user experience insight 13.4.1.0,
  • real user experience insight 13.5.1.0,
  • rest data services,
  • rest data services 21.3,
  • retail assortment planning 16.0.3,
  • retail integration bus,
  • retail integration bus 13.0,
  • retail integration bus 14.1.3.0,
  • retail integration bus 14.1.3.2,
  • retail integration bus 15.0.3.1,
  • retail integration bus 19.0.0,
  • retail integration bus 19.0.1,
  • retail merchandising system 16.0.3,
  • retail merchandising system 19.0.1,
  • retail order broker 16.0,
  • retail order broker 18.0,
  • retail order broker 19.1,
  • retail pricing 19.0.1,
  • retail service backbone,
  • retail service backbone 14.1.3.0,
  • retail service backbone 14.1.3.2,
  • retail service backbone 15.0.3.1,
  • retail service backbone 19.0.0,
  • retail service backbone 19.0.1,
  • retail size profile optimization 16.0.3,
  • retail xstore point of service 17.0.4,
  • retail xstore point of service 18.0.3,
  • retail xstore point of service 19.0.2,
  • retail xstore point of service 20.0.1,
  • solaris cluster 4.0,
  • utilities testing accelerator 6.0.0.1.1,
  • utilities testing accelerator 6.0.0.2.2,
  • utilities testing accelerator 6.0.0.3.1,
  • webcenter portal 12.2.1.3.0,
  • webcenter portal 12.2.1.4.0,
  • weblogic server 12.1.3.0.0,
  • weblogic server 12.2.1.3.0,
  • weblogic server 12.2.1.4.0,
  • weblogic server 14.1.1.0.0

Exploited in the Wild

Reported by:

References

Advisory

Additional Info

Technical Analysis