CVE编号
CVE-2021-29425利用情况
暂无补丁情况
官方补丁披露时间
2021-04-13漏洞描述
Apache Commons IO是美国阿帕奇基金会(Apache)公司的一个应用程序。可以帮助开发IO功能。 Apache Commons IO 2.2版本至2.6版本存在路径遍历漏洞。该漏洞与FileNameUtils.normalize方法有关。攻击者可以利用该漏洞通过发送错误的输入字符串(例如“//../foo”或“\\..\foo”)获得对父目录中文件的访问权限。解决建议
厂商已发布了漏洞修复程序,请及时关注更新:https://issues.apache.org/jira/browse/IO-556
参考链接 |
|
|---|---|
| https://issues.apache.org/jira/browse/IO-556 | |
| https://lists.apache.org/thread.html/r01b4a1fcdf3311c936ce33d75a9398b6c255f00... | |
| https://lists.apache.org/thread.html/r0bfa8f7921abdfae788b1f076a12f73a92c93cc... | |
| https://lists.apache.org/thread.html/r0d73e2071d1f1afe1a15da14c5b6feb2cf17e38... | |
| https://lists.apache.org/thread.html/r1c2f4683c35696cf6f863e3c107e37ec41305b1... | |
| https://lists.apache.org/thread.html/r20416f39ca7f7344e7d76fe4d7063bb1d91ad10... | |
| https://lists.apache.org/thread.html/r2345b49dbffa8a5c3c589c082fe39228a2c1d14... | |
| https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747... | |
| https://lists.apache.org/thread.html/r27b1eedda37468256c4bb768fde1e8b79b37ec9... | |
| https://lists.apache.org/thread.html/r2bc986a070457daca457a54fe71ee09d2584c24... | |
| https://lists.apache.org/thread.html/r2df50af2641d38f432ef025cd2ba5858215cc0c... | |
| https://lists.apache.org/thread.html/r345330b7858304938b7b8029d02537a116d7526... | |
| https://lists.apache.org/thread.html/r4050f9f6b42ebfa47a98cbdee4aabed4bb5fb80... | |
| https://lists.apache.org/thread.html/r462db908acc1e37c455e11b1a25992b81efd18e... | |
| https://lists.apache.org/thread.html/r477c285126ada5c3b47946bb702cb222ac4e7fd... | |
| https://lists.apache.org/thread.html/r47ab6f68cbba8e730f42c4ea752f3a44eb95fb0... | |
| https://lists.apache.org/thread.html/r5149f78be265be69d34eacb4e4b0fc7c9c697bc... | |
| https://lists.apache.org/thread.html/r523a6ffad58f71c4f3761e3cee72df878e48cdc... | |
| https://lists.apache.org/thread.html/r808be7d93b17a7055c1981a8453ae5f0d0fce58... | |
| https://lists.apache.org/thread.html/r8569a41d565ca880a4dee0e645dad1cd17ab4a9... | |
| https://lists.apache.org/thread.html/r86528f4b7d222aed7891e7ac03d69a0db2a2dfa... | |
| https://lists.apache.org/thread.html/r873d5ddafc0a68fd999725e559776dc4971d1ab... | |
| https://lists.apache.org/thread.html/r8bfc7235e6b39d90e6f446325a5a44c3e9e50da... | |
| https://lists.apache.org/thread.html/r8efcbabde973ea72f5e0933adc48ef1425db5cd... | |
| https://lists.apache.org/thread.html/r92ea904f4bae190b03bd42a4355ce3c2fbe8f36... | |
| https://lists.apache.org/thread.html/ra8ef65aedc086d2d3d21492b4c08ae0eb8a3a42... | |
| https://lists.apache.org/thread.html/raa053846cae9d497606027816ae87b4e002b2e0... | |
| https://lists.apache.org/thread.html/rad4ae544747df32ccd58fff5a86cd556640396a... | |
| https://lists.apache.org/thread.html/rbebd3e19651baa7a4a5503a9901c95989df9d40... | |
| https://lists.apache.org/thread.html/rc10fa20ef4d13cbf6ebe0b06b5edb95466a1424... | |
| https://lists.apache.org/thread.html/rc2dd3204260e9227a67253ef68b6f1599446005... | |
| https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7f... | |
| https://lists.apache.org/thread.html/rc5f3df5316c5237b78a3dff5ab95b311ad08e61... | |
| https://lists.apache.org/thread.html/rc65f9bc679feffe4589ea0981ee98bc0af91394... | |
| https://lists.apache.org/thread.html/rca71a10ca533eb9bfac2d590533f02e6fb9064d... | |
| https://lists.apache.org/thread.html/rd09d4ab3e32e4b3a480e2ff6ff118712981ca82... | |
| https://lists.apache.org/thread.html/re41e9967bee064e7369411c28f0f5b2ad28b833... | |
| https://lists.apache.org/thread.html/red3aea910403d8620c73e1c7b9c9b145798d046... | |
| https://lists.apache.org/thread.html/rfa2f08b7c0caf80ca9f4a18bd875918fdd4e894... | |
| https://lists.apache.org/thread.html/rfcd2c649c205f12b72dde044f905903460669a2... | |
| https://lists.apache.org/thread.html/rfd01af05babc95b8949e6d8ea78d9834699e1b0... | |
| https://lists.debian.org/debian-lts-announce/2021/08/msg00016.html | |
| https://security.netapp.com/advisory/ntap-20220210-0004/ | |
| https://www.oracle.com/security-alerts/cpujan2022.html | |
| https://www.oracle.com/security-alerts/cpuoct2021.html |
受影响软件情况
| # | 类型 | 厂商 | 产品 | 版本 | 影响面 | ||||
| 1 | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| 运行在以下环境 | |||||||||
| 应用 | apache | commons_io | * |
Up to (excluding) 2.7 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | debian_10 | commons-io | * |
Up to (excluding) 2.6-2+deb10u1 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | debian_9 | commons-io | * |
Up to (excluding) 2.5-1+deb9u1 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | opensuse_Leap_15.2 | commons-io | * |
Up to (excluding) 2.6-lp152.2.3.1 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | suse_12_SP5 | commons-io | * |
Up to (excluding) 2.4-9.3.1 |
|||||
- 攻击路径 本地
- 攻击复杂度 容易
- 权限要求 无需权限
- 影响范围 有限影响
- EXP成熟度 未验证
- 补丁情况 官方补丁
- 数据保密性 数据泄露
- 数据完整性 无影响
- 服务器危害 无影响
- 全网数量 N/A
还没有评论,来说两句吧...