Apache Commons IO 路径遍历漏洞

admin
admin
admin
0
文章
0
评论
2023-12-01 15:14:47 Ali_nvd 来源:ZONE.CI 全球网 0 阅读模式
低危 Apache Commons IO 路径遍历漏洞

CVE编号

CVE-2021-29425

利用情况

暂无

补丁情况

官方补丁

披露时间

2021-04-13
漏洞描述
Apache Commons IO是美国阿帕奇基金会(Apache)公司的一个应用程序。可以帮助开发IO功能。 Apache Commons IO 2.2版本至2.6版本存在路径遍历漏洞。该漏洞与FileNameUtils.normalize方法有关。攻击者可以利用该漏洞通过发送错误的输入字符串(例如“//../foo”或“\\..\foo”)获得对父目录中文件的访问权限。
解决建议
厂商已发布了漏洞修复程序,请及时关注更新:https://issues.apache.org/jira/browse/IO-556
参考链接
https://issues.apache.org/jira/browse/IO-556
https://lists.apache.org/thread.html/r01b4a1fcdf3311c936ce33d75a9398b6c255f00...
https://lists.apache.org/thread.html/r0bfa8f7921abdfae788b1f076a12f73a92c93cc...
https://lists.apache.org/thread.html/r0d73e2071d1f1afe1a15da14c5b6feb2cf17e38...
https://lists.apache.org/thread.html/r1c2f4683c35696cf6f863e3c107e37ec41305b1...
https://lists.apache.org/thread.html/r20416f39ca7f7344e7d76fe4d7063bb1d91ad10...
https://lists.apache.org/thread.html/r2345b49dbffa8a5c3c589c082fe39228a2c1d14...
https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747...
https://lists.apache.org/thread.html/r27b1eedda37468256c4bb768fde1e8b79b37ec9...
https://lists.apache.org/thread.html/r2bc986a070457daca457a54fe71ee09d2584c24...
https://lists.apache.org/thread.html/r2df50af2641d38f432ef025cd2ba5858215cc0c...
https://lists.apache.org/thread.html/r345330b7858304938b7b8029d02537a116d7526...
https://lists.apache.org/thread.html/r4050f9f6b42ebfa47a98cbdee4aabed4bb5fb80...
https://lists.apache.org/thread.html/r462db908acc1e37c455e11b1a25992b81efd18e...
https://lists.apache.org/thread.html/r477c285126ada5c3b47946bb702cb222ac4e7fd...
https://lists.apache.org/thread.html/r47ab6f68cbba8e730f42c4ea752f3a44eb95fb0...
https://lists.apache.org/thread.html/r5149f78be265be69d34eacb4e4b0fc7c9c697bc...
https://lists.apache.org/thread.html/r523a6ffad58f71c4f3761e3cee72df878e48cdc...
https://lists.apache.org/thread.html/r808be7d93b17a7055c1981a8453ae5f0d0fce58...
https://lists.apache.org/thread.html/r8569a41d565ca880a4dee0e645dad1cd17ab4a9...
https://lists.apache.org/thread.html/r86528f4b7d222aed7891e7ac03d69a0db2a2dfa...
https://lists.apache.org/thread.html/r873d5ddafc0a68fd999725e559776dc4971d1ab...
https://lists.apache.org/thread.html/r8bfc7235e6b39d90e6f446325a5a44c3e9e50da...
https://lists.apache.org/thread.html/r8efcbabde973ea72f5e0933adc48ef1425db5cd...
https://lists.apache.org/thread.html/r92ea904f4bae190b03bd42a4355ce3c2fbe8f36...
https://lists.apache.org/thread.html/ra8ef65aedc086d2d3d21492b4c08ae0eb8a3a42...
https://lists.apache.org/thread.html/raa053846cae9d497606027816ae87b4e002b2e0...
https://lists.apache.org/thread.html/rad4ae544747df32ccd58fff5a86cd556640396a...
https://lists.apache.org/thread.html/rbebd3e19651baa7a4a5503a9901c95989df9d40...
https://lists.apache.org/thread.html/rc10fa20ef4d13cbf6ebe0b06b5edb95466a1424...
https://lists.apache.org/thread.html/rc2dd3204260e9227a67253ef68b6f1599446005...
https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7f...
https://lists.apache.org/thread.html/rc5f3df5316c5237b78a3dff5ab95b311ad08e61...
https://lists.apache.org/thread.html/rc65f9bc679feffe4589ea0981ee98bc0af91394...
https://lists.apache.org/thread.html/rca71a10ca533eb9bfac2d590533f02e6fb9064d...
https://lists.apache.org/thread.html/rd09d4ab3e32e4b3a480e2ff6ff118712981ca82...
https://lists.apache.org/thread.html/re41e9967bee064e7369411c28f0f5b2ad28b833...
https://lists.apache.org/thread.html/red3aea910403d8620c73e1c7b9c9b145798d046...
https://lists.apache.org/thread.html/rfa2f08b7c0caf80ca9f4a18bd875918fdd4e894...
https://lists.apache.org/thread.html/rfcd2c649c205f12b72dde044f905903460669a2...
https://lists.apache.org/thread.html/rfd01af05babc95b8949e6d8ea78d9834699e1b0...
https://lists.debian.org/debian-lts-announce/2021/08/msg00016.html
https://security.netapp.com/advisory/ntap-20220210-0004/
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html
受影响软件情况
# 类型 厂商 产品 版本 影响面
1
运行在以下环境
应用 apache commons_io * Up to (excluding) 2.7
运行在以下环境
系统 amazon_2 apache-commons-io * Up to (excluding) 2.4-12.amzn2.0.1
运行在以下环境
系统 debian_10 commons-io * Up to (excluding) 2.6-2+deb10u1
运行在以下环境
系统 debian_11 commons-io * Up to (excluding) 2.8.0-1
运行在以下环境
系统 debian_12 commons-io * Up to (excluding) 2.8.0-1
运行在以下环境
系统 debian_9 commons-io * Up to (excluding) 2.5-1+deb9u1
运行在以下环境
系统 debian_sid commons-io * Up to (excluding) 2.8.0-1
运行在以下环境
系统 kylinos_aarch64_V10SP1 apache-commons-io * Up to (excluding) 2.6-5.p02.ky10
运行在以下环境
系统 kylinos_aarch64_V10SP2 apache-commons-io * Up to (excluding) 2.6-5.p02.ky10
运行在以下环境
系统 kylinos_loongarch64_V10SP1 apache-commons-io * Up to (excluding) 2.6-5.p02.a.ky10
运行在以下环境
系统 kylinos_x86_64_V10SP1 apache-commons-io * Up to (excluding) 2.6-5.p02.ky10
运行在以下环境
系统 kylinos_x86_64_V10SP2 apache-commons-io * Up to (excluding) 2.6-5.p02.ky10
运行在以下环境
系统 opensuse_Leap_15.2 apache-commons-io * Up to (excluding) 2.6-lp152.2.3.1
运行在以下环境
系统 suse_12_SP5 apache-commons-io * Up to (excluding) 2.4-9.3.1
运行在以下环境
系统 ubuntu_18.04 commons-io * Up to (excluding) 2.6-2ubuntu0.18.04.1
运行在以下环境
系统 ubuntu_18.04.5_lts commons-io * Up to (excluding) 2.6-2ubuntu0.18.04.1
运行在以下环境
系统 ubuntu_20.04 commons-io * Up to (excluding) 2.6-2ubuntu0.20.04.1
阿里云评分 3.4
  • 攻击路径 本地
  • 攻击复杂度 容易
  • 权限要求 无需权限
  • 影响范围 有限影响
  • EXP成熟度 未验证
  • 补丁情况 官方补丁
  • 数据保密性 数据泄露
  • 数据完整性 无影响
  • 服务器危害 无影响
  • 全网数量 N/A
CWE-ID 漏洞类型
CWE-22 对路径名的限制不恰当(路径遍历)
- avd.aliyun.com
weinxin
版权声明
本站原创文章转载请注明文章出处及链接,谢谢合作!
ZONE.CI 全球网 | 安全领域涉猎者-乌云独行地带
ZONE.CI 全球网
安全领域涉猎者-乌云独行地带
N/A Ali_nvd

N/A

N/ACVE编号 CVE-2024-9120利用情况 暂无补丁情况 N/A披露时间 2024-09-23漏洞描述Use after free in Dawn
09-260 评论
ZONE.CI 全球网 | 安全领域涉猎者-乌云独行地带
安全领域涉猎者-乌云独行地带
ZONE.CI 全球网
评论:0   参与:  0