NVD Vulnerability Detail

CVE-2021-29425

Summary	In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
Publication Date	April 13, 2021, 4:15 p.m.
Registration Date	April 14, 2021, 10:05 a.m.
Last Update	Nov. 21, 2024, 3:01 p.m.

CVSS3.1 : MEDIUM
スコア	4.8
Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	高
攻撃に必要な特権レベル(PR)	不要
利用者の関与(UI)	不要
影響の想定範囲(S)	変更なし
機密性への影響(C)	低
完全性への影響(I)	低
可用性への影響(A)	なし

CVSS2.0 : MEDIUM
Score	5.8
Vector	AV:N/AC:M/Au:N/C:P/I:P/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	中
攻撃前の認証要否(Au)	不要
機密性への影響(C)	低
完全性への影響(I)	低
可用性への影響(A)	なし
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	いいえ

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:apache:commons_io:2.2:-::::::
cpe:2.3:a:apache:commons_io:2.3:-::::::
cpe:2.3:a:apache:commons_io:2.4:-::::::
cpe:2.3:a:apache:commons_io:2.5:-::::::
cpe:2.3:a:apache:commons_io:2.6:-::::::

Configuration2		or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:9.0:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:::::::*
cpe:2.3:a:oracle:retail_integration_bus:13.0:::::::*
cpe:2.3:a:oracle:flexcube_core_banking:5.2.0:::::::*
cpe:2.3:a:oracle:solaris_cluster:4.0:::::::*
cpe:2.3:a:oracle:access_manager:11.1.2.3.0:::::::*
cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:::::::*
cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:::::::*
cpe:2.3:a:oracle:access_manager:12.2.1.3.0:::::::*
cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:::::::*
cpe:2.3:a:oracle:retail_order_broker:16.0:::::::*
cpe:2.3:a:oracle:banking_platform:2.6.2:::::::*
cpe:2.3:a:oracle:primavera_unifier:18.8:::::::*
cpe:2.3:a:oracle:primavera_unifier::::::::	17.7	17.12
cpe:2.3:a:oracle:agile_plm:9.3.6:::::::*
cpe:2.3:a:oracle:banking_digital_experience:18.3:::::::*
cpe:2.3:a:oracle:banking_digital_experience:19.1:::::::*
cpe:2.3:a:oracle:banking_digital_experience:18.1:::::::*
cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::*
cpe:2.3:a:oracle:primavera_unifier:19.12:::::::*
cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:::::::*
cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.4.0:::::::*
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*
cpe:2.3:a:oracle:banking_digital_experience:19.2:::::::*
cpe:2.3:a:oracle:banking_digital_experience:20.1:::::::*
cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:::::::*
cpe:2.3:a:oracle:retail_merchandising_system:16.0.3:::::::*
cpe:2.3:a:oracle:banking_platform:2.7.0:::::::*
cpe:2.3:a:oracle:banking_platform:2.7.1:::::::*
cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:::::::*
cpe:2.3:a:oracle:primavera_unifier:20.12:::::::*
cpe:2.3:a:oracle:communications_order_and_service_management:7.4:::::::*
cpe:2.3:a:oracle:retail_order_broker:18.0:::::::*
cpe:2.3:a:oracle:insurance_rules_palette:11.0.2:::::::*
cpe:2.3:a:oracle:insurance_rules_palette:11.1.0:::::::*
cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:11.3:::::::*
cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0:::::::*
cpe:2.3:a:oracle:communications_interactive_session_recorder:6.3:::::::*
cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:::::::*
cpe:2.3:a:oracle:commerce_guided_search:11.3.2:::::::*
cpe:2.3:a:oracle:insurance_policy_administration:11.3.0:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:::::::*
cpe:2.3:a:oracle:retail_service_backbone:15.0.3.1:::::::*
cpe:2.3:a:oracle:retail_service_backbone:14.1.3.2:::::::*
cpe:2.3:a:oracle:insurance_policy_administration:11.0.2:::::::*
cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.4.0:::::::*
cpe:2.3:a:oracle:retail_order_broker:19.1:::::::*
cpe:2.3:a:oracle:enterprise_session_border_controller:9.0:::::::*
cpe:2.3:a:oracle:healthcare_data_repository:8.1.0:::::::*
cpe:2.3:a:oracle:communications_application_session_controller:3.9.0:::::::*
cpe:2.3:a:oracle:communications_converged_application_server_-_service_controller:6.2:::::::*
cpe:2.3:a:oracle:flexcube_core_banking:11.10.0:::::::*
cpe:2.3:a:oracle:banking_enterprise_default_management:2.12.0:::::::*
cpe:2.3:a:oracle:banking_enterprise_default_management:2.10.0:::::::*
cpe:2.3:a:oracle:real_user_experience_insight:13.4.1.0:::::::*
cpe:2.3:a:oracle:real_user_experience_insight:13.5.1.0:::::::*
cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.14.0:::::::*
cpe:2.3:a:oracle:banking_party_management:2.7.0:::::::*
cpe:2.3:a:oracle:retail_merchandising_system:19.0.1:::::::*
cpe:2.3:a:oracle:retail_integration_bus:14.1.3.2:::::::*
cpe:2.3:a:oracle:retail_integration_bus:15.0.3.1:::::::*
cpe:2.3:a:oracle:retail_assortment_planning:16.0.3:::::::*
cpe:2.3:a:oracle:communications_order_and_service_management:7.3:::::::*
cpe:2.3:a:oracle:retail_size_profile_optimization:16.0.3:::::::*
cpe:2.3:a:oracle:access_manager:12.2.1.4.0:::::::*
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure::::::::	8.0.7	8.1.1
cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.4.0:::::::*
cpe:2.3:a:oracle:communications_convergence:3.0.2.2.0:::::::*
cpe:2.3:a:oracle:primavera_unifier:21.12:::::::*
cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.2.2:::::::*
cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.3.1:::::::*
cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:::::::*
cpe:2.3:a:oracle:retail_service_backbone:19.0.0:::::::*
cpe:2.3:a:oracle:retail_service_backbone::::::::	16.0.1	16.0.3
cpe:2.3:a:oracle:retail_integration_bus::::::::	16.0.1	16.0.3
cpe:2.3:a:oracle:communications_service_broker:6.2:::::::*
cpe:2.3:a:oracle:banking_digital_experience:21.1:::::::*
cpe:2.3:a:oracle:banking_apis:19.1:::::::*
cpe:2.3:a:oracle:banking_apis:19.2:::::::*
cpe:2.3:a:oracle:banking_apis:20.1:::::::*
cpe:2.3:a:oracle:banking_apis:21.1:::::::*
cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:::::::*
cpe:2.3:a:oracle:application_performance_management:13.5.1.0:::::::*
cpe:2.3:a:oracle:application_performance_management:13.4.1.0:::::::*
cpe:2.3:a:oracle:banking_platform::::::::	2.3.0	2.4.1
cpe:2.3:a:oracle:banking_enterprise_default_managment::::::::	2.3.0	2.4.0
cpe:2.3:a:oracle:banking_apis:18.2:::::::*
cpe:2.3:a:oracle:banking_digital_experience:17.2:::::::*
cpe:2.3:a:oracle:banking_apis:18.1:::::::*
cpe:2.3:a:oracle:banking_apis:18.3:::::::*
cpe:2.3:a:oracle:communications_design_studio:7.3.5:::::::*
cpe:2.3:a:oracle:financial_services_model_management_and_governance::::::::	8.0.8	8.1.1
cpe:2.3:a:oracle:enterprise_communications_broker:3.3:::::::*
cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3:::::::*
cpe:2.3:a:oracle:oss_support_tools::::::::				2.12.42
cpe:2.3:a:oracle:retail_service_backbone:14.1.3.0:::::::*
cpe:2.3:a:oracle:retail_service_backbone:19.0.1:::::::*
cpe:2.3:a:oracle:retail_integration_bus:14.1.3.0:::::::*
cpe:2.3:a:oracle:retail_integration_bus:19.0.0:::::::*
cpe:2.3:a:oracle:retail_integration_bus:19.0.1:::::::*
cpe:2.3:a:oracle:insurance_rules_palette:11.3.1:::::::*
cpe:2.3:a:oracle:insurance_policy_administration:11.1.0:::::::*
cpe:2.3:a:oracle:insurance_policy_administration:11.3.1:::::::*
cpe:2.3:a:oracle:banking_enterprise_default_management:2.7.0:::::::*
cpe:2.3:a:oracle:banking_enterprise_default_management:2.7.1:::::::*
cpe:2.3:a:oracle:banking_enterprise_default_management:2.6.2:::::::*
cpe:2.3:a:oracle:insurance_rules_palette:11.3.0:::::::*
cpe:2.3:a:oracle:communications_diameter_intelligence_hub::::::::	8.0.0	8.1.0
cpe:2.3:a:oracle:insurance_policy_administration:11.2.8:::::::*
cpe:2.3:a:oracle:communications_diameter_intelligence_hub::::::::	8.2.0	8.2.3
cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.5.0:::::::*
cpe:2.3:a:oracle:blockchain_platform::::::::				21.1.2
cpe:2.3:a:oracle:insurance_rules_palette:11.2.8:::::::*
cpe:2.3:a:oracle:health_sciences_information_manager::::::::	3.0.1	3.0.4
cpe:2.3:a:oracle:helidon:2.2.0:::::::*
cpe:2.3:a:oracle:helidon:1.4.7:::::::*
cpe:2.3:a:oracle:communications_policy_management:12.5.0.0.0:::::::*
cpe:2.3:a:oracle:communications_design_studio::::::::	7.4.0	7.4.2
cpe:2.3:a:oracle:communications_contacts_server:8.0.0.6.0:::::::*
cpe:2.3:a:oracle:rest_data_services:::::-:::*				21.2
cpe:2.3:a:oracle:rest_data_services:21.3::::-:::
cpe:2.3:a:oracle:health_sciences_data_management_workbench:2.5.2.1:::::::*
cpe:2.3:a:oracle:health_sciences_data_management_workbench:3.0.0.0:::::::*
cpe:2.3:a:oracle:retail_pricing:19.0.1:::::::*
cpe:2.3:a:oracle:flexcube_core_banking::::::::	11.6.0	11.8.0

Configuration4	or higher	or less	more than	less than
cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::
cpe:2.3:a:netapp:active_iq_unified_manager:-:::::linux::
cpe:2.3:a:netapp:active_iq_unified_manager:-:::::windows::

Related information, measures and tools

No	URL	タグ
1	https://issues.apache.org/jira/browse/IO-556	Exploit Issue Tracking Vendor Advisory
2	https://issues.apache.org/jira/browse/IO-556	Exploit Issue Tracking Vendor Advisory
3	https://lists.apache.org/thread.html/r01b4a1fcdf3311c936ce33d75a9398b6c255f00c1a2f312ac21effe1%40%3Cnotifications.zookeeper.apache.org%3E
4	https://lists.apache.org/thread.html/r01b4a1fcdf3311c936ce33d75a9398b6c255f00c1a2f312ac21effe1%40%3Cnotifications.zookeeper.apache.org%3E
5	https://lists.apache.org/thread.html/r0bfa8f7921abdfae788b1f076a12f73a92c93cc0a6e1083bce0027c5%40%3Cnotifications.zookeeper.apache.org%3E
6	https://lists.apache.org/thread.html/r0bfa8f7921abdfae788b1f076a12f73a92c93cc0a6e1083bce0027c5%40%3Cnotifications.zookeeper.apache.org%3E
7	https://lists.apache.org/thread.html/r0d73e2071d1f1afe1a15da14c5b6feb2cf17e3871168d5a3c8451436%40%3Ccommits.pulsar.apache.org%3E
8	https://lists.apache.org/thread.html/r0d73e2071d1f1afe1a15da14c5b6feb2cf17e3871168d5a3c8451436%40%3Ccommits.pulsar.apache.org%3E
9	https://lists.apache.org/thread.html/r1c2f4683c35696cf6f863e3c107e37ec41305b1930dd40c17260de71%40%3Ccommits.pulsar.apache.org%3E
10	https://lists.apache.org/thread.html/r1c2f4683c35696cf6f863e3c107e37ec41305b1930dd40c17260de71%40%3Ccommits.pulsar.apache.org%3E
11	https://lists.apache.org/thread.html/r20416f39ca7f7344e7d76fe4d7063bb1d91ad106926626e7e83fb346%40%3Cnotifications.zookeeper.apache.org%3E
12	https://lists.apache.org/thread.html/r20416f39ca7f7344e7d76fe4d7063bb1d91ad106926626e7e83fb346%40%3Cnotifications.zookeeper.apache.org%3E
13	https://lists.apache.org/thread.html/r2345b49dbffa8a5c3c589c082fe39228a2c1d14f11b96c523da701db%40%3Cnotifications.zookeeper.apache.org%3E
14	https://lists.apache.org/thread.html/r2345b49dbffa8a5c3c589c082fe39228a2c1d14f11b96c523da701db%40%3Cnotifications.zookeeper.apache.org%3E
15	https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E
16	https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E
17	https://lists.apache.org/thread.html/r27b1eedda37468256c4bb768fde1e8b79b37ec975cbbfd0d65a7ac34%40%3Cdev.myfaces.apache.org%3E
18	https://lists.apache.org/thread.html/r27b1eedda37468256c4bb768fde1e8b79b37ec975cbbfd0d65a7ac34%40%3Cdev.myfaces.apache.org%3E
19	https://lists.apache.org/thread.html/r2bc986a070457daca457a54fe71ee09d2584c24dc262336ca32b6a19%40%3Cdev.creadur.apache.org%3E
20	https://lists.apache.org/thread.html/r2bc986a070457daca457a54fe71ee09d2584c24dc262336ca32b6a19%40%3Cdev.creadur.apache.org%3E
21	https://lists.apache.org/thread.html/r2df50af2641d38f432ef025cd2ba5858215cc0cf3fc10396a674ad2e%40%3Cpluto-scm.portals.apache.org%3E
22	https://lists.apache.org/thread.html/r2df50af2641d38f432ef025cd2ba5858215cc0cf3fc10396a674ad2e%40%3Cpluto-scm.portals.apache.org%3E
23	https://lists.apache.org/thread.html/r345330b7858304938b7b8029d02537a116d75265a598c98fa333504a%40%3Cdev.creadur.apache.org%3E
24	https://lists.apache.org/thread.html/r345330b7858304938b7b8029d02537a116d75265a598c98fa333504a%40%3Cdev.creadur.apache.org%3E
25	https://lists.apache.org/thread.html/r4050f9f6b42ebfa47a98cbdee4aabed4bb5fb8093db7dbb88faceba2%40%3Ccommits.zookeeper.apache.org%3E
26	https://lists.apache.org/thread.html/r4050f9f6b42ebfa47a98cbdee4aabed4bb5fb8093db7dbb88faceba2%40%3Ccommits.zookeeper.apache.org%3E
27	https://lists.apache.org/thread.html/r462db908acc1e37c455e11b1a25992b81efd18e641e7e0ceb1b6e046%40%3Cnotifications.zookeeper.apache.org%3E
28	https://lists.apache.org/thread.html/r462db908acc1e37c455e11b1a25992b81efd18e641e7e0ceb1b6e046%40%3Cnotifications.zookeeper.apache.org%3E
29	https://lists.apache.org/thread.html/r477c285126ada5c3b47946bb702cb222ac4e7fd3100c8549bdd6d3b2%40%3Cissues.zookeeper.apache.org%3E
30	https://lists.apache.org/thread.html/r477c285126ada5c3b47946bb702cb222ac4e7fd3100c8549bdd6d3b2%40%3Cissues.zookeeper.apache.org%3E
31	https://lists.apache.org/thread.html/r47ab6f68cbba8e730f42c4ea752f3a44eb95fb09064070f2476bb401%40%3Cdev.creadur.apache.org%3E
32	https://lists.apache.org/thread.html/r47ab6f68cbba8e730f42c4ea752f3a44eb95fb09064070f2476bb401%40%3Cdev.creadur.apache.org%3E
33	https://lists.apache.org/thread.html/r5149f78be265be69d34eacb4e4b0fc7c9c697bcdfa91a1c1658d717b%40%3Cissues.zookeeper.apache.org%3E
34	https://lists.apache.org/thread.html/r5149f78be265be69d34eacb4e4b0fc7c9c697bcdfa91a1c1658d717b%40%3Cissues.zookeeper.apache.org%3E
35	https://lists.apache.org/thread.html/r523a6ffad58f71c4f3761e3cee72df878e48cdc89ebdce933be1475c%40%3Cdev.creadur.apache.org%3E
36	https://lists.apache.org/thread.html/r523a6ffad58f71c4f3761e3cee72df878e48cdc89ebdce933be1475c%40%3Cdev.creadur.apache.org%3E
37	https://lists.apache.org/thread.html/r808be7d93b17a7055c1981a8453ae5f0d0fce5855407793c5d0ffffa%40%3Cuser.commons.apache.org%3E
38	https://lists.apache.org/thread.html/r808be7d93b17a7055c1981a8453ae5f0d0fce5855407793c5d0ffffa%40%3Cuser.commons.apache.org%3E
39	https://lists.apache.org/thread.html/r8569a41d565ca880a4dee0e645dad1cd17ab4a92e68055ad9ebb7375%40%3Cdev.creadur.apache.org%3E
40	https://lists.apache.org/thread.html/r8569a41d565ca880a4dee0e645dad1cd17ab4a92e68055ad9ebb7375%40%3Cdev.creadur.apache.org%3E
41	https://lists.apache.org/thread.html/r86528f4b7d222aed7891e7ac03d69a0db2a2dfa17b86ac3470d7f374%40%3Cnotifications.zookeeper.apache.org%3E
42	https://lists.apache.org/thread.html/r86528f4b7d222aed7891e7ac03d69a0db2a2dfa17b86ac3470d7f374%40%3Cnotifications.zookeeper.apache.org%3E
43	https://lists.apache.org/thread.html/r873d5ddafc0a68fd999725e559776dc4971d1ab39c0f5cc81bd9bc04%40%3Ccommits.pulsar.apache.org%3E
44	https://lists.apache.org/thread.html/r873d5ddafc0a68fd999725e559776dc4971d1ab39c0f5cc81bd9bc04%40%3Ccommits.pulsar.apache.org%3E
45	https://lists.apache.org/thread.html/r8bfc7235e6b39d90e6f446325a5a44c3e9e50da18860fdabcee23e29%40%3Cissues.zookeeper.apache.org%3E
46	https://lists.apache.org/thread.html/r8bfc7235e6b39d90e6f446325a5a44c3e9e50da18860fdabcee23e29%40%3Cissues.zookeeper.apache.org%3E
47	https://lists.apache.org/thread.html/r8efcbabde973ea72f5e0933adc48ef1425db5cde850bf641b3993f31%40%3Cdev.commons.apache.org%3E
48	https://lists.apache.org/thread.html/r8efcbabde973ea72f5e0933adc48ef1425db5cde850bf641b3993f31%40%3Cdev.commons.apache.org%3E
49	https://lists.apache.org/thread.html/r92ea904f4bae190b03bd42a4355ce3c2fbe8f36ab673e03f6ca3f9fa%40%3Cnotifications.zookeeper.apache.org%3E
50	https://lists.apache.org/thread.html/r92ea904f4bae190b03bd42a4355ce3c2fbe8f36ab673e03f6ca3f9fa%40%3Cnotifications.zookeeper.apache.org%3E
51	https://lists.apache.org/thread.html/ra8ef65aedc086d2d3d21492b4c08ae0eb8a3a42cc52e29ba1bc009d8%40%3Cdev.creadur.apache.org%3E
52	https://lists.apache.org/thread.html/ra8ef65aedc086d2d3d21492b4c08ae0eb8a3a42cc52e29ba1bc009d8%40%3Cdev.creadur.apache.org%3E
53	https://lists.apache.org/thread.html/raa053846cae9d497606027816ae87b4e002b2e0eb66cb0dee710e1f5%40%3Cdev.creadur.apache.org%3E
54	https://lists.apache.org/thread.html/raa053846cae9d497606027816ae87b4e002b2e0eb66cb0dee710e1f5%40%3Cdev.creadur.apache.org%3E
55	https://lists.apache.org/thread.html/rad4ae544747df32ccd58fff5a86cd556640396aeb161aa71dd3d192a%40%3Cuser.commons.apache.org%3E
56	https://lists.apache.org/thread.html/rad4ae544747df32ccd58fff5a86cd556640396aeb161aa71dd3d192a%40%3Cuser.commons.apache.org%3E
57	https://lists.apache.org/thread.html/rbebd3e19651baa7a4a5503a9901c95989df9d40602c8e35cb05d3eb5%40%3Cdev.creadur.apache.org%3E
58	https://lists.apache.org/thread.html/rbebd3e19651baa7a4a5503a9901c95989df9d40602c8e35cb05d3eb5%40%3Cdev.creadur.apache.org%3E
59	https://lists.apache.org/thread.html/rc10fa20ef4d13cbf6ebe0b06b5edb95466a1424a9b7673074ed03260%40%3Cnotifications.zookeeper.apache.org%3E
60	https://lists.apache.org/thread.html/rc10fa20ef4d13cbf6ebe0b06b5edb95466a1424a9b7673074ed03260%40%3Cnotifications.zookeeper.apache.org%3E
61	https://lists.apache.org/thread.html/rc2dd3204260e9227a67253ef68b6f1599446005bfa0e1ddce4573a80%40%3Cpluto-dev.portals.apache.org%3E
62	https://lists.apache.org/thread.html/rc2dd3204260e9227a67253ef68b6f1599446005bfa0e1ddce4573a80%40%3Cpluto-dev.portals.apache.org%3E
63	https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E	Mailing List Vendor Advisory
64	https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E	Mailing List Vendor Advisory
65	https://lists.apache.org/thread.html/rc5f3df5316c5237b78a3dff5ab95b311ad08e61d418cd992ca7e34ae%40%3Cnotifications.zookeeper.apache.org%3E
66	https://lists.apache.org/thread.html/rc5f3df5316c5237b78a3dff5ab95b311ad08e61d418cd992ca7e34ae%40%3Cnotifications.zookeeper.apache.org%3E
67	https://lists.apache.org/thread.html/rc65f9bc679feffe4589ea0981ee98bc0af9139470f077a91580eeee0%40%3Cpluto-dev.portals.apache.org%3E
68	https://lists.apache.org/thread.html/rc65f9bc679feffe4589ea0981ee98bc0af9139470f077a91580eeee0%40%3Cpluto-dev.portals.apache.org%3E
69	https://lists.apache.org/thread.html/rca71a10ca533eb9bfac2d590533f02e6fb9064d3b6aa3ec90fdc4f51%40%3Cnotifications.zookeeper.apache.org%3E
70	https://lists.apache.org/thread.html/rca71a10ca533eb9bfac2d590533f02e6fb9064d3b6aa3ec90fdc4f51%40%3Cnotifications.zookeeper.apache.org%3E
71	https://lists.apache.org/thread.html/rd09d4ab3e32e4b3a480e2ff6ff118712981ca82e817f28f2a85652a6%40%3Cnotifications.zookeeper.apache.org%3E
72	https://lists.apache.org/thread.html/rd09d4ab3e32e4b3a480e2ff6ff118712981ca82e817f28f2a85652a6%40%3Cnotifications.zookeeper.apache.org%3E
73	https://lists.apache.org/thread.html/re41e9967bee064e7369411c28f0f5b2ad28b8334907c9c6208017279%40%3Cnotifications.zookeeper.apache.org%3E
74	https://lists.apache.org/thread.html/re41e9967bee064e7369411c28f0f5b2ad28b8334907c9c6208017279%40%3Cnotifications.zookeeper.apache.org%3E
75	https://lists.apache.org/thread.html/red3aea910403d8620c73e1c7b9c9b145798d0469eb3298a7be7891af%40%3Cnotifications.zookeeper.apache.org%3E
76	https://lists.apache.org/thread.html/red3aea910403d8620c73e1c7b9c9b145798d0469eb3298a7be7891af%40%3Cnotifications.zookeeper.apache.org%3E
77	https://lists.apache.org/thread.html/rfa2f08b7c0caf80ca9f4a18bd875918fdd4e894e2ea47942a4589b9c%40%3Cdev.creadur.apache.org%3E
78	https://lists.apache.org/thread.html/rfa2f08b7c0caf80ca9f4a18bd875918fdd4e894e2ea47942a4589b9c%40%3Cdev.creadur.apache.org%3E
79	https://lists.apache.org/thread.html/rfcd2c649c205f12b72dde044f905903460669a220a2eb7e12652d19d%40%3Cdev.zookeeper.apache.org%3E
80	https://lists.apache.org/thread.html/rfcd2c649c205f12b72dde044f905903460669a220a2eb7e12652d19d%40%3Cdev.zookeeper.apache.org%3E
81	https://lists.apache.org/thread.html/rfd01af05babc95b8949e6d8ea78d9834699e1b06981040dde419a330%40%3Cdev.commons.apache.org%3E
82	https://lists.apache.org/thread.html/rfd01af05babc95b8949e6d8ea78d9834699e1b06981040dde419a330%40%3Cdev.commons.apache.org%3E
83	https://lists.debian.org/debian-lts-announce/2021/08/msg00016.html	Mailing List Third Party Advisory
84	https://lists.debian.org/debian-lts-announce/2021/08/msg00016.html	Mailing List Third Party Advisory
85	https://security.netapp.com/advisory/ntap-20220210-0004/	Third Party Advisory
86	https://security.netapp.com/advisory/ntap-20220210-0004/	Third Party Advisory
87	https://www.oracle.com/security-alerts/cpuapr2022.html	Patch Third Party Advisory
88	https://www.oracle.com/security-alerts/cpuapr2022.html	Patch Third Party Advisory
89	https://www.oracle.com/security-alerts/cpujan2022.html	Patch Third Party Advisory
90	https://www.oracle.com/security-alerts/cpujan2022.html	Patch Third Party Advisory
91	https://www.oracle.com/security-alerts/cpujul2022.html	Patch Third Party Advisory
92	https://www.oracle.com/security-alerts/cpujul2022.html	Patch Third Party Advisory
93	https://www.oracle.com/security-alerts/cpuoct2021.html	Third Party Advisory
94	https://www.oracle.com/security-alerts/cpuoct2021.html	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-22	パス・トラバーサル	https://cwe.mitre.org/data/definitions/22.html

JVN Vulnerability Information

Apache Commons IO におけるパストラバーサルの脆弱性

Title	Apache Commons IO におけるパストラバーサルの脆弱性
Summary	Apache Commons IO には、パストラバーサルの脆弱性が存在します。
Possible impacts	情報を取得される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	April 13, 2021, midnight
Registration Date	Dec. 14, 2021, 1:42 p.m.
Last Update	Dec. 14, 2021, 1:42 p.m.

Affected System

Apache Software Foundation

Apache Commons IO 2.7 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2021-29425	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425
National Vulnerability Database (NVD)
2	CVE-2021-29425	https://nvd.nist.gov/vuln/detail/CVE-2021-29425

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-22	https://jvndb.jvn.jp/ja/cwe/CWE-22.html

ベンダー情報

No	Name	URL
ASF JIRA
1	IO-556	https://issues.apache.org/jira/browse/IO-556
Pony Mail
2	Announce: CVE-2021-29425 (Possible limited path traversal vulnerabily in Apache Commons IO up to version 2.6)	https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E
3	Re: [all] OSS Fuzz(r8efcbabde973ea72f5e0933adc48ef1425db5cde850bf641b3993f31)	https://lists.apache.org/thread.html/r8efcbabde973ea72f5e0933adc48ef1425db5cde850bf641b3993f31@%3Cdev.commons.apache.org%3E
4	Re: [all] OSS Fuzz(rfd01af05babc95b8949e6d8ea78d9834699e1b06981040dde419a330)	https://lists.apache.org/thread.html/rfd01af05babc95b8949e6d8ea78d9834699e1b06981040dde419a330@%3Cdev.commons.apache.org%3E
5	[GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #808: build: CVE fix	https://lists.apache.org/thread.html/r27b1eedda37468256c4bb768fde1e8b79b37ec975cbbfd0d65a7ac34@%3Cdev.myfaces.apache.org%3E
6	[GitHub] [pulsar] lhotari opened a new pull request #10287: [Security] Upgrade commons-io to address CVE-2021-29425	https://lists.apache.org/thread.html/r873d5ddafc0a68fd999725e559776dc4971d1ab39c0f5cc81bd9bc04@%3Ccommits.pulsar.apache.org%3E
7	[GitHub] [pulsar] merlimat merged pull request #10287: [Security] Upgrade commons-io to address CVE-2021-29425	https://lists.apache.org/thread.html/r0d73e2071d1f1afe1a15da14c5b6feb2cf17e3871168d5a3c8451436@%3Ccommits.pulsar.apache.org%3E
8	[jira] [Closed] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity	https://lists.apache.org/thread.html/r47ab6f68cbba8e730f42c4ea752f3a44eb95fb09064070f2476bb401@%3Cdev.creadur.apache.org%3E
9	[jira] [Commented] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity	https://lists.apache.org/thread.html/r8569a41d565ca880a4dee0e645dad1cd17ab4a92e68055ad9ebb7375@%3Cdev.creadur.apache.org%3E
10	[jira] [Created] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity	https://lists.apache.org/thread.html/raa053846cae9d497606027816ae87b4e002b2e0eb66cb0dee710e1f5@%3Cdev.creadur.apache.org%3E
11	[jira] [Updated] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity	https://lists.apache.org/thread.html/rfa2f08b7c0caf80ca9f4a18bd875918fdd4e894e2ea47942a4589b9c@%3Cdev.creadur.apache.org%3E
12	[portals-pluto] branch master updated: PLUTO-789 Upgrade to commons-io-2.7 due to CVE-2021-29425	https://lists.apache.org/thread/rmgccvv8og4n8t4zn60kk62lzz6mjw80
13	[zookeeper] branch master updated: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)	https://lists.apache.org/thread.html/r4050f9f6b42ebfa47a98cbdee4aabed4bb5fb8093db7dbb88faceba2@%3Ccommits.zookeeper.apache.org%3E

Change Log

No	Changed Details	Date of change
1	[2021年12月14日] 掲載	Dec. 14, 2021, 1:42 p.m.

Configuration3	or higher	or less	more than	less than
cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:::::::*
cpe:2.3:a:oracle:retail_integration_bus:13.0:::::::*
cpe:2.3:a:oracle:flexcube_core_banking:5.2.0:::::::*
cpe:2.3:a:oracle:solaris_cluster:4.0:::::::*
cpe:2.3:a:oracle:access_manager:11.1.2.3.0:::::::*
cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:::::::*
cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:::::::*
cpe:2.3:a:oracle:access_manager:12.2.1.3.0:::::::*
cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:::::::*
cpe:2.3:a:oracle:retail_order_broker:16.0:::::::*
cpe:2.3:a:oracle:banking_platform:2.6.2:::::::*
cpe:2.3:a:oracle:primavera_unifier:18.8:::::::*
cpe:2.3:a:oracle:primavera_unifier::::::::	17.7	17.12
cpe:2.3:a:oracle:agile_plm:9.3.6:::::::*
cpe:2.3:a:oracle:banking_digital_experience:18.3:::::::*
cpe:2.3:a:oracle:banking_digital_experience:19.1:::::::*
cpe:2.3:a:oracle:banking_digital_experience:18.1:::::::*
cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::*
cpe:2.3:a:oracle:primavera_unifier:19.12:::::::*
cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:::::::*
cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.4.0:::::::*
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::*
cpe:2.3:a:oracle:banking_digital_experience:19.2:::::::*
cpe:2.3:a:oracle:banking_digital_experience:20.1:::::::*
cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:::::::*
cpe:2.3:a:oracle:retail_merchandising_system:16.0.3:::::::*
cpe:2.3:a:oracle:banking_platform:2.7.0:::::::*
cpe:2.3:a:oracle:banking_platform:2.7.1:::::::*
cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:::::::*
cpe:2.3:a:oracle:primavera_unifier:20.12:::::::*
cpe:2.3:a:oracle:communications_order_and_service_management:7.4:::::::*
cpe:2.3:a:oracle:retail_order_broker:18.0:::::::*
cpe:2.3:a:oracle:insurance_rules_palette:11.0.2:::::::*
cpe:2.3:a:oracle:insurance_rules_palette:11.1.0:::::::*
cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:11.3:::::::*
cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0:::::::*
cpe:2.3:a:oracle:communications_interactive_session_recorder:6.3:::::::*
cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:::::::*
cpe:2.3:a:oracle:commerce_guided_search:11.3.2:::::::*
cpe:2.3:a:oracle:insurance_policy_administration:11.3.0:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:::::::*
cpe:2.3:a:oracle:retail_service_backbone:15.0.3.1:::::::*
cpe:2.3:a:oracle:retail_service_backbone:14.1.3.2:::::::*
cpe:2.3:a:oracle:insurance_policy_administration:11.0.2:::::::*
cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.4.0:::::::*
cpe:2.3:a:oracle:retail_order_broker:19.1:::::::*
cpe:2.3:a:oracle:enterprise_session_border_controller:9.0:::::::*
cpe:2.3:a:oracle:healthcare_data_repository:8.1.0:::::::*
cpe:2.3:a:oracle:communications_application_session_controller:3.9.0:::::::*
cpe:2.3:a:oracle:communications_converged_application_server_-_service_controller:6.2:::::::*
cpe:2.3:a:oracle:flexcube_core_banking:11.10.0:::::::*
cpe:2.3:a:oracle:banking_enterprise_default_management:2.12.0:::::::*
cpe:2.3:a:oracle:banking_enterprise_default_management:2.10.0:::::::*
cpe:2.3:a:oracle:real_user_experience_insight:13.4.1.0:::::::*
cpe:2.3:a:oracle:real_user_experience_insight:13.5.1.0:::::::*
cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.14.0:::::::*
cpe:2.3:a:oracle:banking_party_management:2.7.0:::::::*
cpe:2.3:a:oracle:retail_merchandising_system:19.0.1:::::::*
cpe:2.3:a:oracle:retail_integration_bus:14.1.3.2:::::::*
cpe:2.3:a:oracle:retail_integration_bus:15.0.3.1:::::::*
cpe:2.3:a:oracle:retail_assortment_planning:16.0.3:::::::*
cpe:2.3:a:oracle:communications_order_and_service_management:7.3:::::::*
cpe:2.3:a:oracle:retail_size_profile_optimization:16.0.3:::::::*
cpe:2.3:a:oracle:access_manager:12.2.1.4.0:::::::*
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure::::::::	8.0.7	8.1.1
cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.4.0:::::::*
cpe:2.3:a:oracle:communications_convergence:3.0.2.2.0:::::::*
cpe:2.3:a:oracle:primavera_unifier:21.12:::::::*
cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.2.2:::::::*
cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.3.1:::::::*
cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:::::::*
cpe:2.3:a:oracle:retail_service_backbone:19.0.0:::::::*
cpe:2.3:a:oracle:retail_service_backbone::::::::	16.0.1	16.0.3
cpe:2.3:a:oracle:retail_integration_bus::::::::	16.0.1	16.0.3
cpe:2.3:a:oracle:communications_service_broker:6.2:::::::*
cpe:2.3:a:oracle:banking_digital_experience:21.1:::::::*
cpe:2.3:a:oracle:banking_apis:19.1:::::::*
cpe:2.3:a:oracle:banking_apis:19.2:::::::*
cpe:2.3:a:oracle:banking_apis:20.1:::::::*
cpe:2.3:a:oracle:banking_apis:21.1:::::::*
cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:::::::*
cpe:2.3:a:oracle:application_performance_management:13.5.1.0:::::::*
cpe:2.3:a:oracle:application_performance_management:13.4.1.0:::::::*
cpe:2.3:a:oracle:banking_platform::::::::	2.3.0	2.4.1
cpe:2.3:a:oracle:banking_enterprise_default_managment::::::::	2.3.0	2.4.0
cpe:2.3:a:oracle:banking_apis:18.2:::::::*
cpe:2.3:a:oracle:banking_digital_experience:17.2:::::::*
cpe:2.3:a:oracle:banking_apis:18.1:::::::*
cpe:2.3:a:oracle:banking_apis:18.3:::::::*
cpe:2.3:a:oracle:communications_design_studio:7.3.5:::::::*
cpe:2.3:a:oracle:financial_services_model_management_and_governance::::::::	8.0.8	8.1.1
cpe:2.3:a:oracle:enterprise_communications_broker:3.3:::::::*
cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3:::::::*
cpe:2.3:a:oracle:oss_support_tools::::::::				2.12.42
cpe:2.3:a:oracle:retail_service_backbone:14.1.3.0:::::::*
cpe:2.3:a:oracle:retail_service_backbone:19.0.1:::::::*
cpe:2.3:a:oracle:retail_integration_bus:14.1.3.0:::::::*
cpe:2.3:a:oracle:retail_integration_bus:19.0.0:::::::*
cpe:2.3:a:oracle:retail_integration_bus:19.0.1:::::::*
cpe:2.3:a:oracle:insurance_rules_palette:11.3.1:::::::*
cpe:2.3:a:oracle:insurance_policy_administration:11.1.0:::::::*
cpe:2.3:a:oracle:insurance_policy_administration:11.3.1:::::::*
cpe:2.3:a:oracle:banking_enterprise_default_management:2.7.0:::::::*
cpe:2.3:a:oracle:banking_enterprise_default_management:2.7.1:::::::*
cpe:2.3:a:oracle:banking_enterprise_default_management:2.6.2:::::::*
cpe:2.3:a:oracle:insurance_rules_palette:11.3.0:::::::*
cpe:2.3:a:oracle:communications_diameter_intelligence_hub::::::::	8.0.0	8.1.0
cpe:2.3:a:oracle:insurance_policy_administration:11.2.8:::::::*
cpe:2.3:a:oracle:communications_diameter_intelligence_hub::::::::	8.2.0	8.2.3
cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.5.0:::::::*
cpe:2.3:a:oracle:blockchain_platform::::::::				21.1.2
cpe:2.3:a:oracle:insurance_rules_palette:11.2.8:::::::*
cpe:2.3:a:oracle:health_sciences_information_manager::::::::	3.0.1	3.0.4
cpe:2.3:a:oracle:helidon:2.2.0:::::::*
cpe:2.3:a:oracle:helidon:1.4.7:::::::*
cpe:2.3:a:oracle:communications_policy_management:12.5.0.0.0:::::::*
cpe:2.3:a:oracle:communications_design_studio::::::::	7.4.0	7.4.2
cpe:2.3:a:oracle:communications_contacts_server:8.0.0.6.0:::::::*
cpe:2.3:a:oracle:rest_data_services:::::-:::*				21.2
cpe:2.3:a:oracle:rest_data_services:21.3::::-:::
cpe:2.3:a:oracle:health_sciences_data_management_workbench:2.5.2.1:::::::*
cpe:2.3:a:oracle:health_sciences_data_management_workbench:3.0.0.0:::::::*
cpe:2.3:a:oracle:retail_pricing:19.0.1:::::::*
cpe:2.3:a:oracle:flexcube_core_banking::::::::	11.6.0	11.8.0