First published: Mon Apr 12 2021(Updated: )
Apache Commons IO could allow a remote attacker to traverse directories on the system, caused by improper input validation by the FileNameUtils.normalize method. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.
Credit: security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/eap7-apache-commons-io | <0:2.10.0-1.redhat_00001.1.el6ea | 0:2.10.0-1.redhat_00001.1.el6ea |
redhat/eap7-hal-console | <0:3.2.16-1.Final_redhat_00001.1.el6ea | 0:3.2.16-1.Final_redhat_00001.1.el6ea |
redhat/eap7-hibernate | <0:5.3.20-4.SP2_redhat_00001.1.el6ea | 0:5.3.20-4.SP2_redhat_00001.1.el6ea |
redhat/eap7-ironjacamar | <0:1.4.35-1.Final_redhat_00001.1.el6ea | 0:1.4.35-1.Final_redhat_00001.1.el6ea |
redhat/eap7-jakarta-el | <0:3.0.3-2.redhat_00006.1.el6ea | 0:3.0.3-2.redhat_00006.1.el6ea |
redhat/eap7-jberet | <0:1.3.9-1.Final_redhat_00001.1.el6ea | 0:1.3.9-1.Final_redhat_00001.1.el6ea |
redhat/eap7-jboss-remoting | <0:5.0.23-2.SP1_redhat_00001.1.el6ea | 0:5.0.23-2.SP1_redhat_00001.1.el6ea |
redhat/eap7-jboss-server-migration | <0:1.7.2-9.Final_redhat_00010.1.el6ea | 0:1.7.2-9.Final_redhat_00010.1.el6ea |
redhat/eap7-narayana | <0:5.9.12-1.Final_redhat_00001.1.el6ea | 0:5.9.12-1.Final_redhat_00001.1.el6ea |
redhat/eap7-picketbox | <0:5.0.3-9.Final_redhat_00008.1.el6ea | 0:5.0.3-9.Final_redhat_00008.1.el6ea |
redhat/eap7-undertow | <0:2.0.39-1.SP2_redhat_00001.1.el6ea | 0:2.0.39-1.SP2_redhat_00001.1.el6ea |
redhat/eap7-wildfly | <0:7.3.9-2.GA_redhat_00002.1.el6ea | 0:7.3.9-2.GA_redhat_00002.1.el6ea |
redhat/eap7-wildfly-http-client | <0:1.0.29-1.Final_redhat_00002.1.el6ea | 0:1.0.29-1.Final_redhat_00002.1.el6ea |
redhat/eap7-wildfly-transaction-client | <0:1.1.14-2.Final_redhat_00001.1.el6ea | 0:1.1.14-2.Final_redhat_00001.1.el6ea |
redhat/eap7-apache-commons-io | <0:2.10.0-1.redhat_00001.1.el7ea | 0:2.10.0-1.redhat_00001.1.el7ea |
redhat/eap7-hal-console | <0:3.2.16-1.Final_redhat_00001.1.el7ea | 0:3.2.16-1.Final_redhat_00001.1.el7ea |
redhat/eap7-hibernate | <0:5.3.20-4.SP2_redhat_00001.1.el7ea | 0:5.3.20-4.SP2_redhat_00001.1.el7ea |
redhat/eap7-ironjacamar | <0:1.4.35-1.Final_redhat_00001.1.el7ea | 0:1.4.35-1.Final_redhat_00001.1.el7ea |
redhat/eap7-jakarta-el | <0:3.0.3-2.redhat_00006.1.el7ea | 0:3.0.3-2.redhat_00006.1.el7ea |
redhat/eap7-jberet | <0:1.3.9-1.Final_redhat_00001.1.el7ea | 0:1.3.9-1.Final_redhat_00001.1.el7ea |
redhat/eap7-jboss-remoting | <0:5.0.23-2.SP1_redhat_00001.1.el7ea | 0:5.0.23-2.SP1_redhat_00001.1.el7ea |
redhat/eap7-jboss-server-migration | <0:1.7.2-9.Final_redhat_00010.1.el7ea | 0:1.7.2-9.Final_redhat_00010.1.el7ea |
redhat/eap7-narayana | <0:5.9.12-1.Final_redhat_00001.1.el7ea | 0:5.9.12-1.Final_redhat_00001.1.el7ea |
redhat/eap7-picketbox | <0:5.0.3-9.Final_redhat_00008.1.el7ea | 0:5.0.3-9.Final_redhat_00008.1.el7ea |
redhat/eap7-undertow | <0:2.0.39-1.SP2_redhat_00001.1.el7ea | 0:2.0.39-1.SP2_redhat_00001.1.el7ea |
redhat/eap7-wildfly | <0:7.3.9-2.GA_redhat_00002.1.el7ea | 0:7.3.9-2.GA_redhat_00002.1.el7ea |
redhat/eap7-wildfly-http-client | <0:1.0.29-1.Final_redhat_00002.1.el7ea | 0:1.0.29-1.Final_redhat_00002.1.el7ea |
redhat/eap7-wildfly-transaction-client | <0:1.1.14-2.Final_redhat_00001.1.el7ea | 0:1.1.14-2.Final_redhat_00001.1.el7ea |
redhat/eap7-apache-commons-io | <0:2.10.0-1.redhat_00001.1.el8ea | 0:2.10.0-1.redhat_00001.1.el8ea |
redhat/eap7-hal-console | <0:3.2.16-1.Final_redhat_00001.1.el8ea | 0:3.2.16-1.Final_redhat_00001.1.el8ea |
redhat/eap7-hibernate | <0:5.3.20-4.SP2_redhat_00001.1.el8ea | 0:5.3.20-4.SP2_redhat_00001.1.el8ea |
redhat/eap7-ironjacamar | <0:1.4.35-1.Final_redhat_00001.1.el8ea | 0:1.4.35-1.Final_redhat_00001.1.el8ea |
redhat/eap7-jakarta-el | <0:3.0.3-2.redhat_00006.1.el8ea | 0:3.0.3-2.redhat_00006.1.el8ea |
redhat/eap7-jberet | <0:1.3.9-1.Final_redhat_00001.1.el8ea | 0:1.3.9-1.Final_redhat_00001.1.el8ea |
redhat/eap7-jboss-remoting | <0:5.0.23-2.SP1_redhat_00001.1.el8ea | 0:5.0.23-2.SP1_redhat_00001.1.el8ea |
redhat/eap7-jboss-server-migration | <0:1.7.2-9.Final_redhat_00010.1.el8ea | 0:1.7.2-9.Final_redhat_00010.1.el8ea |
redhat/eap7-narayana | <0:5.9.12-1.Final_redhat_00001.1.el8ea | 0:5.9.12-1.Final_redhat_00001.1.el8ea |
redhat/eap7-picketbox | <0:5.0.3-9.Final_redhat_00008.1.el8ea | 0:5.0.3-9.Final_redhat_00008.1.el8ea |
redhat/eap7-undertow | <0:2.0.39-1.SP2_redhat_00001.1.el8ea | 0:2.0.39-1.SP2_redhat_00001.1.el8ea |
redhat/eap7-wildfly | <0:7.3.9-2.GA_redhat_00002.1.el8ea | 0:7.3.9-2.GA_redhat_00002.1.el8ea |
redhat/eap7-wildfly-http-client | <0:1.0.29-1.Final_redhat_00002.1.el8ea | 0:1.0.29-1.Final_redhat_00002.1.el8ea |
redhat/eap7-wildfly-transaction-client | <0:1.1.14-2.Final_redhat_00001.1.el8ea | 0:1.1.14-2.Final_redhat_00001.1.el8ea |
redhat/apache-commons-io | <2.7 | 2.7 |
maven/org.smartboot.servlet:servlet-core | >=0.1.9<=0.6 | |
maven/org.checkerframework.annotatedlib:commons-io | >=2.6<2.7 | 2.7 |
maven/org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-io | >=1.4<=1.5 | |
maven/org.apache.commons:commons-io | =1.3.2 | |
maven/net.hasor:cobble-lang | >=4.4.1<=4.6.2 | |
maven/com.virjar:ratel-api | >=1.0.0<=1.3.6 | |
maven/com.liferay:com.liferay.sass.compiler.jsass | =1.0.1 | |
maven/com.diamondq.common:common-thirdparty.jcasbin | =1.4.0 | |
maven/com.cosium.vet:vet | >=1.0<=3.22 | |
maven/commons-io:commons-io | <2.7 | 2.7 |
Apache Commons IO | =2.2 | |
Apache Commons IO | =2.3 | |
Apache Commons IO | =2.4 | |
Apache Commons IO | =2.5 | |
Apache Commons IO | =2.6 | |
Debian Debian Linux | =9.0 | |
Oracle Access Manager | =11.1.2.3.0 | |
Oracle Access Manager | =12.2.1.3.0 | |
Oracle Access Manager | =12.2.1.4.0 | |
Oracle Agile Engineering Data Management | =6.2.1.0 | |
Oracle Agile PLM | =9.3.6 | |
Oracle Application Performance Management | =13.4.1.0 | |
Oracle Application Performance Management | =13.5.1.0 | |
Oracle Application Testing Suite | =13.3.0.1 | |
Oracle Banking Apis | =18.1 | |
Oracle Banking Apis | =18.2 | |
Oracle Banking Apis | =18.3 | |
Oracle Banking Apis | =19.1 | |
Oracle Banking Apis | =19.2 | |
Oracle Banking Apis | =20.1 | |
Oracle Banking Apis | =21.1 | |
Oracle Banking Digital Experience | =17.2 | |
Oracle Banking Digital Experience | =18.1 | |
Oracle Banking Digital Experience | =18.3 | |
Oracle Banking Digital Experience | =19.1 | |
Oracle Banking Digital Experience | =19.2 | |
Oracle Banking Digital Experience | =20.1 | |
Oracle Banking Digital Experience | =21.1 | |
Oracle Banking Enterprise Default Management | =2.6.2 | |
Oracle Banking Enterprise Default Management | =2.7.0 | |
Oracle Banking Enterprise Default Management | =2.7.1 | |
Oracle Banking Enterprise Default Management | =2.10.0 | |
Oracle Banking Enterprise Default Management | =2.12.0 | |
Oracle Banking Enterprise Default Managment | >=2.3.0<=2.4.0 | |
Oracle Banking Party Management | =2.7.0 | |
Oracle Banking Platform | >=2.3.0<=2.4.1 | |
Oracle Banking Platform | =2.6.2 | |
Oracle Banking Platform | =2.7.0 | |
Oracle Banking Platform | =2.7.1 | |
Oracle Blockchain Platform | <21.1.2 | |
Oracle Commerce Guided Search | =11.3.2 | |
Oracle Communications Application Session Controller | =3.9.0 | |
Oracle Communications Billing And Revenue Management Elastic Charging Engine | =11.3 | |
Oracle Communications Billing And Revenue Management Elastic Charging Engine | =12.0 | |
Oracle Communications Cloud Native Core Network Repository Function | =1.14.0 | |
Oracle Communications Cloud Native Core Policy | =1.14.0 | |
Oracle Communications Cloud Native Core Unified Data Repository | =1.4.0 | |
Oracle Communications Contacts Server | =8.0.0.6.0 | |
Oracle Communications Converged Application Server - Service Controller | =6.2 | |
Oracle Communications Convergence | =3.0.2.2.0 | |
Oracle Communications Design Studio | >=7.4.0<=7.4.2 | |
Oracle Communications Design Studio | =7.3.5 | |
Oracle Communications Diameter Intelligence Hub | >=8.0.0<=8.1.0 | |
Oracle Communications Diameter Intelligence Hub | >=8.2.0<=8.2.3 | |
Oracle Communications Interactive Session Recorder | =6.3 | |
Oracle Communications Interactive Session Recorder | =6.4 | |
Oracle Communications Offline Mediation Controller | =12.0.0.3 | |
Oracle Communications Order and Service Management | =7.3 | |
Oracle Communications Order and Service Management | =7.4 | |
Oracle Communications Policy Management | =12.5.0.0.0 | |
Oracle Communications Pricing Design Center | =12.0.0.4.0 | |
Oracle Communications Pricing Design Center | =12.0.0.5.0 | |
Oracle Communications Service Broker | =6.2 | |
Oracle Enterprise Communications Broker | =3.3 | |
Oracle Enterprise Session Border Controller | =8.4 | |
Oracle Enterprise Session Border Controller | =9.0 | |
Oracle Financial Services Analytical Applications Infrastructure | >=8.0.7<=8.1.1 | |
Oracle Financial Services Model Management And Governance | >=8.0.8<=8.1.1 | |
Oracle FLEXCUBE Core Banking | >=11.6.0<=11.8.0 | |
Oracle FLEXCUBE Core Banking | =5.2.0 | |
Oracle FLEXCUBE Core Banking | =11.10.0 | |
Oracle Fusion Middleware MapViewer | =12.2.1.4.0 | |
Oracle Health Sciences Data Management Workbench | =2.5.2.1 | |
Oracle Health Sciences Data Management Workbench | =3.0.0.0 | |
Oracle Health Sciences Information Manager | >=3.0.1<=3.0.4 | |
Oracle Healthcare Data Repository | =8.1.0 | |
Oracle Helidon | =1.4.7 | |
Oracle Helidon | =2.2.0 | |
Oracle Insurance Policy Administration | =11.0.2 | |
Oracle Insurance Policy Administration | =11.1.0 | |
Oracle Insurance Policy Administration | =11.2.8 | |
Oracle Insurance Policy Administration | =11.3.0 | |
Oracle Insurance Policy Administration | =11.3.1 | |
Oracle Insurance Rules Palette | =11.0.2 | |
Oracle Insurance Rules Palette | =11.1.0 | |
Oracle Insurance Rules Palette | =11.2.8 | |
Oracle Insurance Rules Palette | =11.3.0 | |
Oracle Insurance Rules Palette | =11.3.1 | |
Oracle OSS Support Tools | <2.12.42 | |
Oracle Primavera Unifier | >=17.7<=17.12 | |
Oracle Primavera Unifier | =18.8 | |
Oracle Primavera Unifier | =19.12 | |
Oracle Primavera Unifier | =20.12 | |
Oracle Primavera Unifier | =21.12 | |
Oracle Real User Experience Insight | =13.4.1.0 | |
Oracle Real User Experience Insight | =13.5.1.0 | |
Oracle REST Data Services | <21.2 | |
Oracle REST Data Services | =21.3 | |
Oracle Retail Assortment Planning | =16.0.3 | |
Oracle Retail Integration Bus | >=16.0.1<=16.0.3 | |
Oracle Retail Integration Bus | =13.0 | |
Oracle Retail Integration Bus | =14.1.3.0 | |
Oracle Retail Integration Bus | =14.1.3.2 | |
Oracle Retail Integration Bus | =15.0.3.1 | |
Oracle Retail Integration Bus | =19.0.0 | |
Oracle Retail Integration Bus | =19.0.1 | |
Oracle Retail Merchandising System | =16.0.3 | |
Oracle Retail Merchandising System | =19.0.1 | |
Oracle Retail Order Broker | =16.0 | |
Oracle Retail Order Broker | =18.0 | |
Oracle Retail Order Broker | =19.1 | |
Oracle Retail Pricing | =19.0.1 | |
Oracle Retail Service Backbone | >=16.0.1<=16.0.3 | |
Oracle Retail Service Backbone | =14.1.3.0 | |
Oracle Retail Service Backbone | =14.1.3.2 | |
Oracle Retail Service Backbone | =15.0.3.1 | |
Oracle Retail Service Backbone | =19.0.0 | |
Oracle Retail Service Backbone | =19.0.1 | |
Oracle Retail Size Profile Optimization | =16.0.3 | |
Oracle Retail Xstore Point of Service | =17.0.4 | |
Oracle Retail Xstore Point of Service | =18.0.3 | |
Oracle Retail Xstore Point of Service | =19.0.2 | |
Oracle Retail Xstore Point of Service | =20.0.1 | |
Oracle Solaris Cluster | =4.0 | |
Oracle Utilities Testing Accelerator | =6.0.0.1.1 | |
Oracle Utilities Testing Accelerator | =6.0.0.2.2 | |
Oracle Utilities Testing Accelerator | =6.0.0.3.1 | |
Oracle WebCenter Portal | =12.2.1.3.0 | |
Oracle WebCenter Portal | =12.2.1.4.0 | |
Oracle WebLogic Server | =12.1.3.0.0 | |
Oracle WebLogic Server | =12.2.1.3.0 | |
Oracle WebLogic Server | =12.2.1.4.0 | |
Oracle WebLogic Server | =14.1.1.0.0 | |
Netapp Active Iq Unified Manager Linux | ||
Netapp Active Iq Unified Manager Vmware Vsphere | ||
Netapp Active Iq Unified Manager Windows | ||
IBM Cognos Controller | <=11.0.0 - 11.0.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)