CVE-2021-29425

Exploit

EPSS 0.48%
Veröffentlicht 13.04.2021 07:15:12
Zuletzt bearbeitet 21.11.2024 06:01:04
Quelle security@apache.org
Teams Watchlist Login
Unerledigt Login

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 50

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Commons Io Version2.2 Update-

Apache ≫ Commons Io Version2.3 Update-

Apache ≫ Commons Io Version2.4 Update-

Apache ≫ Commons Io Version2.5 Update-

Apache ≫ Commons Io Version2.6 Update-

Debian ≫ Debian Linux Version9.0

Oracle ≫ Access Manager Version11.1.2.3.0

Oracle ≫ Access Manager Version12.2.1.3.0

Oracle ≫ Access Manager Version12.2.1.4.0

Oracle ≫ Agile Engineering Data Management Version6.2.1.0

Oracle ≫ Agile Plm Version9.3.6

Oracle ≫ Application Performance Management Version13.4.1.0

Oracle ≫ Application Performance Management Version13.5.1.0

Oracle ≫ Application Testing Suite Version13.3.0.1

Oracle ≫ Banking Apis Version18.1

Oracle ≫ Banking Apis Version18.2

Oracle ≫ Banking Apis Version18.3

Oracle ≫ Banking Apis Version19.1

Oracle ≫ Banking Apis Version19.2

Oracle ≫ Banking Apis Version20.1

Oracle ≫ Banking Apis Version21.1

Oracle ≫ Banking Digital Experience Version17.2

Oracle ≫ Banking Digital Experience Version18.1

Oracle ≫ Banking Digital Experience Version18.3

Oracle ≫ Banking Digital Experience Version19.1

Oracle ≫ Banking Digital Experience Version19.2

Oracle ≫ Banking Digital Experience Version20.1

Oracle ≫ Banking Digital Experience Version21.1

Oracle ≫ Banking Enterprise Default Management Version2.6.2

Oracle ≫ Banking Enterprise Default Management Version2.7.0

Oracle ≫ Banking Enterprise Default Management Version2.7.1

Oracle ≫ Banking Enterprise Default Management Version2.10.0

Oracle ≫ Banking Enterprise Default Management Version2.12.0

Oracle ≫ Banking Enterprise Default Managment Version >= 2.3.0 <= 2.4.0

Oracle ≫ Banking Party Management Version2.7.0

Oracle ≫ Banking Platform Version >= 2.3.0 <= 2.4.1

Oracle ≫ Banking Platform Version2.6.2

Oracle ≫ Banking Platform Version2.7.0

Oracle ≫ Banking Platform Version2.7.1

Oracle ≫ Blockchain Platform Version < 21.1.2

Oracle ≫ Commerce Guided Search Version11.3.2

Oracle ≫ Communications Application Session Controller Version3.9.0

Oracle ≫ Communications Billing And Revenue Management Elastic Charging Engine Version11.3

Oracle ≫ Communications Billing And Revenue Management Elastic Charging Engine Version12.0

Oracle ≫ Communications Cloud Native Core Network Repository Function Version1.14.0

Oracle ≫ Communications Cloud Native Core Policy Version1.14.0

Oracle ≫ Communications Cloud Native Core Unified Data Repository Version1.4.0

Oracle ≫ Communications Contacts Server Version8.0.0.6.0

Oracle ≫ Communications Converged Application Server - Service Controller Version6.2

Oracle ≫ Communications Convergence Version3.0.2.2.0

Oracle ≫ Communications Design Studio Version >= 7.4.0 <= 7.4.2

Oracle ≫ Communications Design Studio Version7.3.5

Oracle ≫ Communications Diameter Intelligence Hub Version >= 8.0.0 <= 8.1.0

Oracle ≫ Communications Diameter Intelligence Hub Version >= 8.2.0 <= 8.2.3

Oracle ≫ Communications Interactive Session Recorder Version6.3

Oracle ≫ Communications Interactive Session Recorder Version6.4

Oracle ≫ Communications Offline Mediation Controller Version12.0.0.3

Oracle ≫ Communications Order And Service Management Version7.3

Oracle ≫ Communications Order And Service Management Version7.4

Oracle ≫ Communications Policy Management Version12.5.0.0.0

Oracle ≫ Communications Pricing Design Center Version12.0.0.4.0

Oracle ≫ Communications Pricing Design Center Version12.0.0.5.0

Oracle ≫ Communications Service Broker Version6.2

Oracle ≫ Enterprise Communications Broker Version3.3

Oracle ≫ Enterprise Session Border Controller Version8.4

Oracle ≫ Enterprise Session Border Controller Version9.0

Oracle ≫ Financial Services Analytical Applications Infrastructure Version >= 8.0.7 <= 8.1.1

Oracle ≫ Financial Services Model Management And Governance Version >= 8.0.8 <= 8.1.1

Oracle ≫ Flexcube Core Banking Version >= 11.6.0 <= 11.8.0

Oracle ≫ Flexcube Core Banking Version5.2.0

Oracle ≫ Flexcube Core Banking Version11.10.0

Oracle ≫ Fusion Middleware Mapviewer Version12.2.1.4.0

Oracle ≫ Health Sciences Data Management Workbench Version2.5.2.1

Oracle ≫ Health Sciences Data Management Workbench Version3.0.0.0

Oracle ≫ Health Sciences Information Manager Version >= 3.0.1 <= 3.0.4

Oracle ≫ Healthcare Data Repository Version8.1.0

Oracle ≫ Helidon Version1.4.7

Oracle ≫ Helidon Version2.2.0

Oracle ≫ Insurance Policy Administration Version11.0.2

Oracle ≫ Insurance Policy Administration Version11.1.0

Oracle ≫ Insurance Policy Administration Version11.2.8

Oracle ≫ Insurance Policy Administration Version11.3.0

Oracle ≫ Insurance Policy Administration Version11.3.1

Oracle ≫ Insurance Rules Palette Version11.0.2

Oracle ≫ Insurance Rules Palette Version11.1.0

Oracle ≫ Insurance Rules Palette Version11.2.8

Oracle ≫ Insurance Rules Palette Version11.3.0

Oracle ≫ Insurance Rules Palette Version11.3.1

Oracle ≫ Oss Support Tools Version < 2.12.42

Oracle ≫ Primavera Unifier Version >= 17.7 <= 17.12

Oracle ≫ Primavera Unifier Version18.8

Oracle ≫ Primavera Unifier Version19.12

Oracle ≫ Primavera Unifier Version20.12

Oracle ≫ Primavera Unifier Version21.12

Oracle ≫ Real User Experience Insight Version13.4.1.0

Oracle ≫ Real User Experience Insight Version13.5.1.0

Oracle ≫ Rest Data Services SwEdition- Version < 21.2

Oracle ≫ Rest Data Services Version21.3 SwEdition-

Oracle ≫ Retail Assortment Planning Version16.0.3

Oracle ≫ Retail Integration Bus Version >= 16.0.1 <= 16.0.3

Oracle ≫ Retail Integration Bus Version13.0

Oracle ≫ Retail Integration Bus Version14.1.3.0

Oracle ≫ Retail Integration Bus Version14.1.3.2

Oracle ≫ Retail Integration Bus Version15.0.3.1

Oracle ≫ Retail Integration Bus Version19.0.0

Oracle ≫ Retail Integration Bus Version19.0.1

Oracle ≫ Retail Merchandising System Version16.0.3

Oracle ≫ Retail Merchandising System Version19.0.1

Oracle ≫ Retail Order Broker Version16.0

Oracle ≫ Retail Order Broker Version18.0

Oracle ≫ Retail Order Broker Version19.1

Oracle ≫ Retail Pricing Version19.0.1

Oracle ≫ Retail Service Backbone Version >= 16.0.1 <= 16.0.3

Oracle ≫ Retail Service Backbone Version14.1.3.0

Oracle ≫ Retail Service Backbone Version14.1.3.2

Oracle ≫ Retail Service Backbone Version15.0.3.1

Oracle ≫ Retail Service Backbone Version19.0.0

Oracle ≫ Retail Service Backbone Version19.0.1

Oracle ≫ Retail Size Profile Optimization Version16.0.3

Oracle ≫ Retail Xstore Point Of Service Version17.0.4

Oracle ≫ Retail Xstore Point Of Service Version18.0.3

Oracle ≫ Retail Xstore Point Of Service Version19.0.2

Oracle ≫ Retail Xstore Point Of Service Version20.0.1

Oracle ≫ Solaris Cluster Version4.0

Oracle ≫ Utilities Testing Accelerator Version6.0.0.1.1

Oracle ≫ Utilities Testing Accelerator Version6.0.0.2.2

Oracle ≫ Utilities Testing Accelerator Version6.0.0.3.1

Oracle ≫ Webcenter Portal Version12.2.1.3.0

Oracle ≫ Webcenter Portal Version12.2.1.4.0

Oracle ≫ Weblogic Server Version12.1.3.0.0

Oracle ≫ Weblogic Server Version12.2.1.3.0

Oracle ≫ Weblogic Server Version12.2.1.4.0

Oracle ≫ Weblogic Server Version14.1.1.0.0

Netapp ≫ Active Iq Unified Manager Version- SwPlatformlinux

Netapp ≫ Active Iq Unified Manager Version- SwPlatformvmware_vsphere

Netapp ≫ Active Iq Unified Manager Version- SwPlatformwindows

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.48%	0.644

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.8	2.2	2.5	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
nvd@nist.gov	5.8	8.6	4.9	AV:N/AC:M/Au:N/C:P/I:P/A:N

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

Patch

Third Party Advisory

https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E