正文

Apache Commons IO 路径遍历漏洞

admin
admin V管理员 /0 评论 /25 阅读
0304
此篇文章发布距今已超过1222天,您需要注意文章的内容或图片是否可用!

漏洞信息详情

Apache Commons IO 路径遍历漏洞

  • CNNVD编号:CNNVD-202104-702
    • <!--
  • 危害等级: 中危-->
  • 危害等级: 中危
  • CVE编号: CVE-2021-29425
  • 漏洞类型: 路径遍历
  • 发布时间: 2021-04-12
  • 威胁类型: 远程
  • 更新时间: 2021-12-01
  • 厂        商:
  • 漏洞来源:

漏洞简介

Apache Commons IO是美国阿帕奇(Apache)基金会的一个应用程序。提供一个帮助开发IO功能。

Apache Commons IO 2.2版本至2.6版本存在路径遍历漏洞,该漏洞源于当使用不正确的输入字符串(例如“ //../foo”或“ .. foo”)调用FileNameUtils.normalize方法时,则可能会提供对父目录中文件的访问权限。

漏洞公告

目前厂商已发布升级补丁以修复漏洞,补丁获取链接:

https://issues.apache.org/jira/browse/IO-556

参考网址

来源:MLIST

链接:https://lists.apache.org/thread.html/r523a6ffad58f71c4f3761e3cee72df878e48cdc89ebdce933be1475c@%3Cdev.creadur.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/rad4ae544747df32ccd58fff5a86cd556640396aeb161aa71dd3d192a@%3Cuser.commons.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/rbebd3e19651baa7a4a5503a9901c95989df9d40602c8e35cb05d3eb5@%3Cdev.creadur.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r5149f78be265be69d34eacb4e4b0fc7c9c697bcdfa91a1c1658d717b@%3Cissues.zookeeper.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r477c285126ada5c3b47946bb702cb222ac4e7fd3100c8549bdd6d3b2@%3Cissues.zookeeper.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/rca71a10ca533eb9bfac2d590533f02e6fb9064d3b6aa3ec90fdc4f51@%3Cnotifications.zookeeper.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r86528f4b7d222aed7891e7ac03d69a0db2a2dfa17b86ac3470d7f374@%3Cnotifications.zookeeper.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r462db908acc1e37c455e11b1a25992b81efd18e641e7e0ceb1b6e046@%3Cnotifications.zookeeper.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r808be7d93b17a7055c1981a8453ae5f0d0fce5855407793c5d0ffffa@%3Cuser.commons.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r1c2f4683c35696cf6f863e3c107e37ec41305b1930dd40c17260de71@%3Ccommits.pulsar.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/rc5f3df5316c5237b78a3dff5ab95b311ad08e61d418cd992ca7e34ae@%3Cnotifications.zookeeper.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r0bfa8f7921abdfae788b1f076a12f73a92c93cc0a6e1083bce0027c5@%3Cnotifications.zookeeper.apache.org%3E

来源:MISC

链接:https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/rc2dd3204260e9227a67253ef68b6f1599446005bfa0e1ddce4573a80@%3Cpluto-dev.portals.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/red3aea910403d8620c73e1c7b9c9b145798d0469eb3298a7be7891af@%3Cnotifications.zookeeper.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r8bfc7235e6b39d90e6f446325a5a44c3e9e50da18860fdabcee23e29@%3Cissues.zookeeper.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r20416f39ca7f7344e7d76fe4d7063bb1d91ad106926626e7e83fb346@%3Cnotifications.zookeeper.apache.org%3E

来源:MLIST

链接:https://lists.debian.org/debian-lts-announce/2021/08/msg00016.html

来源:MLIST

链接:https://lists.apache.org/thread.html/r2df50af2641d38f432ef025cd2ba5858215cc0cf3fc10396a674ad2e@%3Cpluto-scm.portals.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/rfcd2c649c205f12b72dde044f905903460669a220a2eb7e12652d19d@%3Cdev.zookeeper.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/rc10fa20ef4d13cbf6ebe0b06b5edb95466a1424a9b7673074ed03260@%3Cnotifications.zookeeper.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r92ea904f4bae190b03bd42a4355ce3c2fbe8f36ab673e03f6ca3f9fa@%3Cnotifications.zookeeper.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r2bc986a070457daca457a54fe71ee09d2584c24dc262336ca32b6a19@%3Cdev.creadur.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/re41e9967bee064e7369411c28f0f5b2ad28b8334907c9c6208017279@%3Cnotifications.zookeeper.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r8efcbabde973ea72f5e0933adc48ef1425db5cde850bf641b3993f31@%3Cdev.commons.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r01b4a1fcdf3311c936ce33d75a9398b6c255f00c1a2f312ac21effe1@%3Cnotifications.zookeeper.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/rfa2f08b7c0caf80ca9f4a18bd875918fdd4e894e2ea47942a4589b9c@%3Cdev.creadur.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r0d73e2071d1f1afe1a15da14c5b6feb2cf17e3871168d5a3c8451436@%3Ccommits.pulsar.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/rfd01af05babc95b8949e6d8ea78d9834699e1b06981040dde419a330@%3Cdev.commons.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/rd09d4ab3e32e4b3a480e2ff6ff118712981ca82e817f28f2a85652a6@%3Cnotifications.zookeeper.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r873d5ddafc0a68fd999725e559776dc4971d1ab39c0f5cc81bd9bc04@%3Ccommits.pulsar.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r27b1eedda37468256c4bb768fde1e8b79b37ec975cbbfd0d65a7ac34@%3Cdev.myfaces.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/rc65f9bc679feffe4589ea0981ee98bc0af9139470f077a91580eeee0@%3Cpluto-dev.portals.apache.org%3E

来源:MISC

链接:https://issues.apache.org/jira/browse/IO-556

来源:MLIST

链接:https://lists.apache.org/thread.html/ra8ef65aedc086d2d3d21492b4c08ae0eb8a3a42cc52e29ba1bc009d8@%3Cdev.creadur.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r47ab6f68cbba8e730f42c4ea752f3a44eb95fb09064070f2476bb401@%3Cdev.creadur.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r4050f9f6b42ebfa47a98cbdee4aabed4bb5fb8093db7dbb88faceba2@%3Ccommits.zookeeper.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r8569a41d565ca880a4dee0e645dad1cd17ab4a92e68055ad9ebb7375@%3Cdev.creadur.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/r2345b49dbffa8a5c3c589c082fe39228a2c1d14f11b96c523da701db@%3Cnotifications.zookeeper.apache.org%3E

来源:MISC

链接:https://www.oracle.com/security-alerts/cpuoct2021.html

来源:MLIST

链接:https://lists.apache.org/thread.html/r345330b7858304938b7b8029d02537a116d75265a598c98fa333504a@%3Cdev.creadur.apache.org%3E

来源:MLIST

链接:https://lists.apache.org/thread.html/raa053846cae9d497606027816ae87b4e002b2e0eb66cb0dee710e1f5@%3Cdev.creadur.apache.org%3E

来源:www.ibm.com

链接:https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-commons-affects-tivoli-netcool-impact-cve-2021-29425/

来源:www.ibm.com

链接:https://www.ibm.com/blogs/psirt/security-bulletin-ibm-transparent-could-tiering-is-affected-by-a-vulnerability-in-apache-commons-io-cve-2021-29425/

来源:www.ibm.com

链接:https://www.ibm.com/blogs/psirt/security-bulletin-ibm-transparent-cloud-tiering-is-affected-by-a-vulnerability-in-apache-commons-io-cve-2021-29425/

来源:www.oracle.com

链接:https://www.oracle.com/security-alerts/cpuoct2021.html

来源:www.ibm.com

链接:https://www.ibm.com/support/pages/node/6517470

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2021.1349

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2021.3208

来源:www.ibm.com

链接:https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-information-server-is-affected-by-a-vulnerability-in-apache-commons-io/

来源:www.ibm.com

链接:https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-commons-io-may-affect-cram-social-program-management-cve-2021-29425/

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/164156/Red-Hat-Security-Advisory-2021-3534-01.html

来源:www.ibm.com

链接:https://www.ibm.com/blogs/psirt/security-bulletin-apache-commons/

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2021.3077

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/164091/Red-Hat-Security-Advisory-2021-3466-01.html

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2021.2323

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2021.2741

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2021.3038

来源:nvd.nist.gov

链接:https://nvd.nist.gov/vuln/detail/CVE-2021-29425

来源:www.ibm.com

链接:https://www.ibm.com/support/pages/node/6492201

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2021.3256

来源:access.redhat.com

链接:https://access.redhat.com/security/cve/cve-2021-29425

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/163922/Red-Hat-Security-Advisory-2021-3225-01.html

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/164344/Ubuntu-Security-Notice-USN-5095-1.html

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/164279/Red-Hat-Security-Advisory-2021-3660-01.html

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/163423/Red-Hat-Security-Advisory-2021-2465-01.html

来源:www.cybersecurity-help.cz

链接:https://www.cybersecurity-help.cz/vdb/SB2021081922

来源:www.ibm.com

链接:https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-is-using-a-component-with-known-vulnerabilities-apache-commons-cve-2021-29425/

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2021.1413

来源:www.ibm.com

链接:https://www.ibm.com/support/pages/node/6520472

来源:www.ibm.com

链接:https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-open-source-libraries-affects-tivoli-netcool-omnibus-webgui/

来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/164077/Red-Hat-Security-Advisory-2021-3471-01.html

来源:www.cybersecurity-help.cz

链接:https://www.cybersecurity-help.cz/vdb/SB2021101943

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2021.2896

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2021.3446

来源:www.ibm.com

链接:https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-have-been-identified-in-apache-commons-io-shipped-with-ibm-tivoli-netcool-omnibus-probe-for-microsoft-exchange-web-services-cve-2021-29425/

来源:www.cybersecurity-help.cz

链接:https://www.cybersecurity-help.cz/vdb/SB2021041510

来源:www.auscert.org.au

链接:https://www.auscert.org.au/bulletins/ESB-2021.3245

来源:vigilance.fr

链接:https://vigilance.fr/vulnerability/Apache-Commons-IO-directory-traversal-via-FileNameUtils-normalize-35120

来源:www.cybersecurity-help.cz

链接:https://www.cybersecurity-help.cz/vdb/SB2021100410

受影响实体

    暂无


补丁

  • Apache Commons IO 路径遍历漏洞的修复措施
    <!--
    2021-4-12
    -->