Free and open-source vulnerability scanner
Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.
Install NowAvailable for macOS, Windows, and Linux
CVE-2021-29425
CVE information
Published
Last Modified
CVSSv2.0 Severity
CVSSv3.1 Severity
Impact Analysis
Description
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value..
CVSSv2.0 Score
- Severity
- Medium
- Base Score
- 5.8/10
- Exploit Score
- 8.6/10
- Access Vector
- Network
- Access Complexity
- Medium
- Authentication Required
- None
- Impact Score
- 4.9/10
- Confidentiality Impact
- Partial
- Availability Impact
- None
- Integrity Impact
- Partial
CVSSv3.1 Score
- Severity
- Medium
- Base Score
- 4.8/10
- Exploit Score
- 2.2/10
- Access Vector
- Network
- Access Complexity
- High
- Privileges Required
- None
- Impact Score
- 2.5/10
- Confidentiality Impact
- Low
- Availability Impact
- None
- Integrity Impact
- Low
- Scope
- Unchanged
- User Interaction
- None
Products Affected
| CPE | Affected | Vulnerable | Excluding | Edit |
|---|---|---|---|---|
| cpe:2.3:a:apache:commons_io:2.2:-:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:apache:commons_io:2.3:-:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:apache:commons_io:2.4:-:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:apache:commons_io:2.5:-:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:apache:commons_io:2.6:-:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:retail_integration_bus:13.0:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:flexcube_core_banking:5.2.0:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:solaris_cluster:4.0:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:access_manager:11.1.2.3.0:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:access_manager:12.2.1.3.0:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*: |
Yes
|
- | - | |
| cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* |
Yes
|
17.7 | - | |
| cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.4.0:*:*: |
Yes
|
- | - | |
| cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*: |
Yes
|
- | - | |
| cpe:2.3:a:oracle:retail_merchandising_system:16.0.3:*:*:*:*: |
Yes
|
- | - | |
| cpe:2.3:a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:communications_order_and_service_management |
Yes
|
- | - | |
| cpe:2.3:a:oracle:retail_order_broker:18.0:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:insurance_rules_palette:11.0.2:*:*:*:*:*:*: |
Yes
|
- | - | |
| cpe:2.3:a:oracle:insurance_rules_palette:11.1.0:*:*:*:*:*:*: |
Yes
|
- | - | |
| cpe:2.3:a:oracle:communications_billing_and_revenue_manageme |
Yes
|
- | - | |
| cpe:2.3:a:oracle:communications_billing_and_revenue_manageme |
Yes
|
- | - | |
| cpe:2.3:a:oracle:communications_interactive_session_recorder |
Yes
|
- | - | |
| cpe:2.3:a:oracle:communications_interactive_session_recorder |
Yes
|
- | - | |
| cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:insurance_policy_administration:11.3.0:*:*: |
Yes
|
- | - | |
| cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:retail_service_backbone:15.0.3.1:*:*:*:*:*: |
Yes
|
- | - | |
| cpe:2.3:a:oracle:retail_service_backbone:14.1.3.2:*:*:*:*:*: |
Yes
|
- | - | |
| cpe:2.3:a:oracle:insurance_policy_administration:11.0.2:*:*: |
Yes
|
- | - | |
| cpe:2.3:a:oracle:communications_cloud_native_core_unified_da |
Yes
|
- | - | |
| cpe:2.3:a:oracle:retail_order_broker:19.1:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:enterprise_session_border_controller:9.0:*: |
Yes
|
- | - | |
| cpe:2.3:a:oracle:healthcare_data_repository:8.1.0:*:*:*:*:*: |
Yes
|
- | - | |
| cpe:2.3:a:oracle:communications_application_session_controll |
Yes
|
- | - | |
| cpe:2.3:a:oracle:communications_converged_application_server |
Yes
|
- | - | |
| cpe:2.3:a:oracle:flexcube_core_banking:11.10.0:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:banking_enterprise_default_management:2.12. |
Yes
|
- | - | |
| cpe:2.3:a:oracle:banking_enterprise_default_management:2.10. |
Yes
|
- | - | |
| cpe:2.3:a:oracle:real_user_experience_insight:13.4.1.0:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:real_user_experience_insight:13.5.1.0:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:communications_cloud_native_core_network_re |
Yes
|
- | - | |
| cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*: |
Yes
|
- | - | |
| cpe:2.3:a:oracle:retail_merchandising_system:19.0.1:*:*:*:*: |
Yes
|
- | - | |
| cpe:2.3:a:oracle:retail_integration_bus:14.1.3.2:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:retail_integration_bus:15.0.3.1:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:retail_assortment_planning:16.0.3:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:communications_order_and_service_management |
Yes
|
- | - | |
| cpe:2.3:a:oracle:retail_size_profile_optimization:16.0.3:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:access_manager:12.2.1.4.0:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:financial_services_analytical_applications_ |
Yes
|
8.0.7 | - | |
| cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0 |
Yes
|
- | - | |
| cpe:2.3:a:oracle:communications_convergence:3.0.2.2.0:*:*:*: |
Yes
|
- | - | |
| cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.2.2:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.3.1:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:retail_service_backbone:19.0.0:*:*:*:*:*:*: |
Yes
|
- | - | |
| cpe:2.3:a:oracle:retail_service_backbone:*:*:*:*:*:*:*:* |
Yes
|
16.0.1 | - | |
| cpe:2.3:a:oracle:retail_integration_bus:*:*:*:*:*:*:*:* |
Yes
|
16.0.1 | - | |
| cpe:2.3:a:oracle:communications_service_broker:6.2:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:banking_digital_experience:21.1:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:banking_apis:19.1:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:banking_apis:19.2:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:banking_apis:20.1:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:banking_apis:21.1:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.1 |
Yes
|
- | - | |
| cpe:2.3:a:oracle:application_performance_management:13.5.1.0 |
Yes
|
- | - | |
| cpe:2.3:a:oracle:application_performance_management:13.4.1.0 |
Yes
|
- | - | |
| cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:* |
Yes
|
2.3.0 | - | |
| cpe:2.3:a:oracle:banking_enterprise_default_managment:*:*:*: |
Yes
|
2.3.0 | - | |
| cpe:2.3:a:oracle:banking_apis:18.2:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:banking_digital_experience:17.2:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:banking_apis:18.1:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:banking_apis:18.3:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:communications_design_studio:7.3.5:*:*:*:*: |
Yes
|
- | - | |
| cpe:2.3:a:oracle:financial_services_model_management_and_gov |
Yes
|
8.0.8 | - | |
| cpe:2.3:a:oracle:enterprise_communications_broker:3.3:*:*:*: |
Yes
|
- | - | |
| cpe:2.3:a:oracle:communications_offline_mediation_controller |
Yes
|
- | - | |
| cpe:2.3:a:oracle:oss_support_tools:*:*:*:*:*:*:*:* |
Yes
|
- | 2.12.42 | |
| cpe:2.3:a:oracle:retail_service_backbone:14.1.3.0:*:*:*:*:*: |
Yes
|
- | - | |
| cpe:2.3:a:oracle:retail_service_backbone:19.0.1:*:*:*:*:*:*: |
Yes
|
- | - | |
| cpe:2.3:a:oracle:retail_integration_bus:14.1.3.0:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:retail_integration_bus:19.0.0:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:retail_integration_bus:19.0.1:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:insurance_rules_palette:11.3.1:*:*:*:*:*:*: |
Yes
|
- | - | |
| cpe:2.3:a:oracle:insurance_policy_administration:11.1.0:*:*: |
Yes
|
- | - | |
| cpe:2.3:a:oracle:insurance_policy_administration:11.3.1:*:*: |
Yes
|
- | - | |
| cpe:2.3:a:oracle:banking_enterprise_default_management:2.7.0 |
Yes
|
- | - | |
| cpe:2.3:a:oracle:banking_enterprise_default_management:2.7.1 |
Yes
|
- | - | |
| cpe:2.3:a:oracle:banking_enterprise_default_management:2.6.2 |
Yes
|
- | - | |
| cpe:2.3:a:oracle:insurance_rules_palette:11.3.0:*:*:*:*:*:*: |
Yes
|
- | - | |
| cpe:2.3:a:oracle:communications_diameter_intelligence_hub:*: |
Yes
|
8.0.0 | - | |
| cpe:2.3:a:oracle:insurance_policy_administration:11.2.8:*:*: |
Yes
|
- | - | |
| cpe:2.3:a:oracle:communications_diameter_intelligence_hub:*: |
Yes
|
8.2.0 | - | |
| cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0 |
Yes
|
- | - | |
| cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:* |
Yes
|
- | 21.1.2 | |
| cpe:2.3:a:oracle:insurance_rules_palette:11.2.8:*:*:*:*:*:*: |
Yes
|
- | - | |
| cpe:2.3:a:oracle:health_sciences_information_manager:*:*:*:* |
Yes
|
3.0.1 | - | |
| cpe:2.3:a:oracle:helidon:2.2.0:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:helidon:1.4.7:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:communications_policy_management:12.5.0.0.0 |
Yes
|
- | - | |
| cpe:2.3:a:oracle:communications_design_studio:*:*:*:*:*:*:*: |
Yes
|
7.4.0 | - | |
| cpe:2.3:a:oracle:communications_contacts_server:8.0.0.6.0:*: |
Yes
|
- | - | |
| cpe:2.3:a:oracle:rest_data_services:*:*:*:*:-:*:*:* |
Yes
|
- | 21.2 | |
| cpe:2.3:a:oracle:rest_data_services:21.3:*:*:*:-:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:health_sciences_data_management_workbench:2 |
Yes
|
- | - | |
| cpe:2.3:a:oracle:health_sciences_data_management_workbench:3 |
Yes
|
- | - | |
| cpe:2.3:a:oracle:retail_pricing:19.0.1:*:*:*:*:*:*:* |
Yes
|
- | - | |
| cpe:2.3:a:oracle:flexcube_core_banking:*:*:*:*:*:*:*:* |
Yes
|
11.6.0 | - | |
| cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_ |
Yes
|
- | - | |
| cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:* |
Yes
|
- | - | |
| cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows |
Yes
|
- | - |
References
- https://issues.apache.org/jira/browse/IO-556
- https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b
- https://lists.debian.org/debian-lts-announce/2021/08/msg00016.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://security.netapp.com/advisory/ntap-20220210-0004/
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://lists.apache.org/thread.html/rfd01af05babc95b8949e6d8ea78d9834699e1b06981040dde4
- https://lists.apache.org/thread.html/r8efcbabde973ea72f5e0933adc48ef1425db5cde850bf641b3
- https://lists.apache.org/thread.html/r873d5ddafc0a68fd999725e559776dc4971d1ab39c0f5cc81b
- https://lists.apache.org/thread.html/r0d73e2071d1f1afe1a15da14c5b6feb2cf17e3871168d5a3c8
- https://lists.apache.org/thread.html/r47ab6f68cbba8e730f42c4ea752f3a44eb95fb09064070f247
- https://lists.apache.org/thread.html/raa053846cae9d497606027816ae87b4e002b2e0eb66cb0dee7
- https://lists.apache.org/thread.html/r8569a41d565ca880a4dee0e645dad1cd17ab4a92e68055ad9e
- https://lists.apache.org/thread.html/rfa2f08b7c0caf80ca9f4a18bd875918fdd4e894e2ea47942a4
- https://lists.apache.org/thread.html/r1c2f4683c35696cf6f863e3c107e37ec41305b1930dd40c172
- https://lists.apache.org/thread.html/r27b1eedda37468256c4bb768fde1e8b79b37ec975cbbfd0d65
- https://lists.apache.org/thread.html/ra8ef65aedc086d2d3d21492b4c08ae0eb8a3a42cc52e29ba1b
- https://lists.apache.org/thread.html/r523a6ffad58f71c4f3761e3cee72df878e48cdc89ebdce933b
- https://lists.apache.org/thread.html/rbebd3e19651baa7a4a5503a9901c95989df9d40602c8e35cb0
- https://lists.apache.org/thread.html/r2bc986a070457daca457a54fe71ee09d2584c24dc262336ca3
- https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0
- https://lists.apache.org/thread.html/r345330b7858304938b7b8029d02537a116d75265a598c98fa3
- https://lists.apache.org/thread.html/rad4ae544747df32ccd58fff5a86cd556640396aeb161aa71dd
- https://lists.apache.org/thread.html/r808be7d93b17a7055c1981a8453ae5f0d0fce5855407793c5d
- https://lists.apache.org/thread.html/rc65f9bc679feffe4589ea0981ee98bc0af9139470f077a9158
- https://lists.apache.org/thread.html/rc2dd3204260e9227a67253ef68b6f1599446005bfa0e1ddce4
- https://lists.apache.org/thread.html/r2df50af2641d38f432ef025cd2ba5858215cc0cf3fc10396a6
- https://lists.apache.org/thread.html/r8bfc7235e6b39d90e6f446325a5a44c3e9e50da18860fdabce
- https://lists.apache.org/thread.html/r92ea904f4bae190b03bd42a4355ce3c2fbe8f36ab673e03f6c
- https://lists.apache.org/thread.html/rfcd2c649c205f12b72dde044f905903460669a220a2eb7e126
- https://lists.apache.org/thread.html/r2345b49dbffa8a5c3c589c082fe39228a2c1d14f11b96c523d
- https://lists.apache.org/thread.html/r477c285126ada5c3b47946bb702cb222ac4e7fd3100c8549bd
- https://lists.apache.org/thread.html/rc10fa20ef4d13cbf6ebe0b06b5edb95466a1424a9b7673074e
- https://lists.apache.org/thread.html/rca71a10ca533eb9bfac2d590533f02e6fb9064d3b6aa3ec90f
- https://lists.apache.org/thread.html/re41e9967bee064e7369411c28f0f5b2ad28b8334907c9c6208
- https://lists.apache.org/thread.html/rd09d4ab3e32e4b3a480e2ff6ff118712981ca82e817f28f2a8
- https://lists.apache.org/thread.html/r01b4a1fcdf3311c936ce33d75a9398b6c255f00c1a2f312ac2
- https://lists.apache.org/thread.html/red3aea910403d8620c73e1c7b9c9b145798d0469eb3298a7be
- https://lists.apache.org/thread.html/r20416f39ca7f7344e7d76fe4d7063bb1d91ad106926626e7e8
- https://lists.apache.org/thread.html/r86528f4b7d222aed7891e7ac03d69a0db2a2dfa17b86ac3470
- https://lists.apache.org/thread.html/rc5f3df5316c5237b78a3dff5ab95b311ad08e61d418cd992ca
- https://lists.apache.org/thread.html/r0bfa8f7921abdfae788b1f076a12f73a92c93cc0a6e1083bce
- https://lists.apache.org/thread.html/r462db908acc1e37c455e11b1a25992b81efd18e641e7e0ceb1
- https://lists.apache.org/thread.html/r4050f9f6b42ebfa47a98cbdee4aabed4bb5fb8093db7dbb88f
- https://lists.apache.org/thread.html/r5149f78be265be69d34eacb4e4b0fc7c9c697bcdfa91a1c165