CVE-2021-29425: Possible limited path traversal vulnerabily in Apache Commons IO

Published Apr 12, 2021
ยท
Updated

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value. References: https://www.openwall.com/lists/oss-security/2021/04/12/1 https://issues.apache.org/jira/browse/IO-556

Affected Software

189 affected componentsFixes available
redhat/eap7-apache-commons-io<0:2.10.0-1.redhat_00001.1.el6ea
0:2.10.0-1.redhat_00001.1.el6ea
redhat/eap7-hal-console<0:3.2.16-1.Final_redhat_00001.1.el6ea
0:3.2.16-1.Final_redhat_00001.1.el6ea
redhat/eap7-hibernate<0:5.3.20-4.SP2_redhat_00001.1.el6ea
0:5.3.20-4.SP2_redhat_00001.1.el6ea
redhat/eap7-ironjacamar<0:1.4.35-1.Final_redhat_00001.1.el6ea
0:1.4.35-1.Final_redhat_00001.1.el6ea
redhat/eap7-jakarta-el<0:3.0.3-2.redhat_00006.1.el6ea
0:3.0.3-2.redhat_00006.1.el6ea
redhat/eap7-jberet<0:1.3.9-1.Final_redhat_00001.1.el6ea
0:1.3.9-1.Final_redhat_00001.1.el6ea
redhat/eap7-jboss-remoting<0:5.0.23-2.SP1_redhat_00001.1.el6ea
0:5.0.23-2.SP1_redhat_00001.1.el6ea
redhat/eap7-jboss-server-migration<0:1.7.2-9.Final_redhat_00010.1.el6ea
0:1.7.2-9.Final_redhat_00010.1.el6ea
redhat/eap7-narayana<0:5.9.12-1.Final_redhat_00001.1.el6ea
0:5.9.12-1.Final_redhat_00001.1.el6ea
redhat/eap7-picketbox<0:5.0.3-9.Final_redhat_00008.1.el6ea
0:5.0.3-9.Final_redhat_00008.1.el6ea
redhat/eap7-undertow<0:2.0.39-1.SP2_redhat_00001.1.el6ea
0:2.0.39-1.SP2_redhat_00001.1.el6ea
redhat/eap7-wildfly<0:7.3.9-2.GA_redhat_00002.1.el6ea
0:7.3.9-2.GA_redhat_00002.1.el6ea
redhat/eap7-wildfly-http-client<0:1.0.29-1.Final_redhat_00002.1.el6ea
0:1.0.29-1.Final_redhat_00002.1.el6ea
redhat/eap7-wildfly-transaction-client<0:1.1.14-2.Final_redhat_00001.1.el6ea
0:1.1.14-2.Final_redhat_00001.1.el6ea
redhat/eap7-apache-commons-io<0:2.10.0-1.redhat_00001.1.el7ea
0:2.10.0-1.redhat_00001.1.el7ea
redhat/eap7-hal-console<0:3.2.16-1.Final_redhat_00001.1.el7ea
0:3.2.16-1.Final_redhat_00001.1.el7ea
redhat/eap7-hibernate<0:5.3.20-4.SP2_redhat_00001.1.el7ea
0:5.3.20-4.SP2_redhat_00001.1.el7ea
redhat/eap7-ironjacamar<0:1.4.35-1.Final_redhat_00001.1.el7ea
0:1.4.35-1.Final_redhat_00001.1.el7ea
redhat/eap7-jakarta-el<0:3.0.3-2.redhat_00006.1.el7ea
0:3.0.3-2.redhat_00006.1.el7ea
redhat/eap7-jberet<0:1.3.9-1.Final_redhat_00001.1.el7ea
0:1.3.9-1.Final_redhat_00001.1.el7ea
redhat/eap7-jboss-remoting<0:5.0.23-2.SP1_redhat_00001.1.el7ea
0:5.0.23-2.SP1_redhat_00001.1.el7ea
redhat/eap7-jboss-server-migration<0:1.7.2-9.Final_redhat_00010.1.el7ea
0:1.7.2-9.Final_redhat_00010.1.el7ea
redhat/eap7-narayana<0:5.9.12-1.Final_redhat_00001.1.el7ea
0:5.9.12-1.Final_redhat_00001.1.el7ea
redhat/eap7-picketbox<0:5.0.3-9.Final_redhat_00008.1.el7ea
0:5.0.3-9.Final_redhat_00008.1.el7ea
redhat/eap7-undertow<0:2.0.39-1.SP2_redhat_00001.1.el7ea
0:2.0.39-1.SP2_redhat_00001.1.el7ea
redhat/eap7-wildfly<0:7.3.9-2.GA_redhat_00002.1.el7ea
0:7.3.9-2.GA_redhat_00002.1.el7ea
redhat/eap7-wildfly-http-client<0:1.0.29-1.Final_redhat_00002.1.el7ea
0:1.0.29-1.Final_redhat_00002.1.el7ea
redhat/eap7-wildfly-transaction-client<0:1.1.14-2.Final_redhat_00001.1.el7ea
0:1.1.14-2.Final_redhat_00001.1.el7ea
redhat/eap7-apache-commons-io<0:2.10.0-1.redhat_00001.1.el8ea
0:2.10.0-1.redhat_00001.1.el8ea
redhat/eap7-hal-console<0:3.2.16-1.Final_redhat_00001.1.el8ea
0:3.2.16-1.Final_redhat_00001.1.el8ea
redhat/eap7-hibernate<0:5.3.20-4.SP2_redhat_00001.1.el8ea
0:5.3.20-4.SP2_redhat_00001.1.el8ea
redhat/eap7-ironjacamar<0:1.4.35-1.Final_redhat_00001.1.el8ea
0:1.4.35-1.Final_redhat_00001.1.el8ea
redhat/eap7-jakarta-el<0:3.0.3-2.redhat_00006.1.el8ea
0:3.0.3-2.redhat_00006.1.el8ea
redhat/eap7-jberet<0:1.3.9-1.Final_redhat_00001.1.el8ea
0:1.3.9-1.Final_redhat_00001.1.el8ea
redhat/eap7-jboss-remoting<0:5.0.23-2.SP1_redhat_00001.1.el8ea
0:5.0.23-2.SP1_redhat_00001.1.el8ea
redhat/eap7-jboss-server-migration<0:1.7.2-9.Final_redhat_00010.1.el8ea
0:1.7.2-9.Final_redhat_00010.1.el8ea
redhat/eap7-narayana<0:5.9.12-1.Final_redhat_00001.1.el8ea
0:5.9.12-1.Final_redhat_00001.1.el8ea
redhat/eap7-picketbox<0:5.0.3-9.Final_redhat_00008.1.el8ea
0:5.0.3-9.Final_redhat_00008.1.el8ea
redhat/eap7-undertow<0:2.0.39-1.SP2_redhat_00001.1.el8ea
0:2.0.39-1.SP2_redhat_00001.1.el8ea
redhat/eap7-wildfly<0:7.3.9-2.GA_redhat_00002.1.el8ea
0:7.3.9-2.GA_redhat_00002.1.el8ea
redhat/eap7-wildfly-http-client<0:1.0.29-1.Final_redhat_00002.1.el8ea
0:1.0.29-1.Final_redhat_00002.1.el8ea
redhat/eap7-wildfly-transaction-client<0:1.1.14-2.Final_redhat_00001.1.el8ea
0:1.1.14-2.Final_redhat_00001.1.el8ea
maven/org.smartboot.servlet:servlet-core>=0.1.9<=0.6
maven/org.checkerframework.annotatedlib:commons-io>=2.6<2.7
2.7
maven/org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-io>=1.4<=1.5
maven/org.apache.commons:commons-io=1.3.2
maven/net.hasor:cobble-lang>=4.4.1<=4.6.2
maven/com.virjar:ratel-api>=1.0.0<=1.3.6
maven/com.liferay:com.liferay.sass.compiler.jsass=1.0.1
maven/com.diamondq.common:common-thirdparty.jcasbin=1.4.0
maven/com.cosium.vet:vet>=1.0<=3.22
maven/commons-io:commons-io<2.7
2.7
Apache Commons IO=2.2
Apache Commons IO=2.3
Apache Commons IO=2.4
Apache Commons IO=2.5
Apache Commons IO=2.6
Debian Debian Linux=9.0
Oracle Access Manager=11.1.2.3.0
Oracle Access Manager=12.2.1.3.0
Oracle Access Manager=12.2.1.4.0
Oracle Agile Engineering Data Management=6.2.1.0
Oracle Agile PLM=9.3.6
Oracle Application Performance Management=13.4.1.0
Oracle Application Performance Management=13.5.1.0
Oracle Application Testing Suite=13.3.0.1
Oracle Banking Apis=18.1
Oracle Banking Apis=18.2
Oracle Banking Apis=18.3
Oracle Banking Apis=19.1
Oracle Banking Apis=19.2
Oracle Banking Apis=20.1
Oracle Banking Apis=21.1
Oracle Banking Digital Experience=17.2
Oracle Banking Digital Experience=18.1
Oracle Banking Digital Experience=18.3
Oracle Banking Digital Experience=19.1
Oracle Banking Digital Experience=19.2
Oracle Banking Digital Experience=20.1
Oracle Banking Digital Experience=21.1
Oracle Banking Enterprise Default Management=2.6.2
Oracle Banking Enterprise Default Management=2.7.0
Oracle Banking Enterprise Default Management=2.7.1
Oracle Banking Enterprise Default Management=2.10.0
Oracle Banking Enterprise Default Management=2.12.0
Oracle Banking Enterprise Default Managment>=2.3.0<=2.4.0
Oracle Banking Party Management=2.7.0
Oracle Banking Platform>=2.3.0<=2.4.1
Oracle Banking Platform=2.6.2
Oracle Banking Platform=2.7.0
Oracle Banking Platform=2.7.1
Oracle Blockchain Platform<21.1.2
Oracle Commerce Guided Search=11.3.2
Oracle Communications Application Session Controller=3.9.0
Oracle Communications Billing And Revenue Management Elastic Charging Engine=11.3
Oracle Communications Billing And Revenue Management Elastic Charging Engine=12.0
Oracle Communications Cloud Native Core Network Repository Function=1.14.0
Oracle Communications Cloud Native Core Policy=1.14.0
Oracle Communications Cloud Native Core Unified Data Repository=1.4.0
Oracle Communications Contacts Server=8.0.0.6.0
Oracle Communications Converged Application Server - Service Controller=6.2
Oracle Communications Convergence=3.0.2.2.0
Oracle Communications Design Studio>=7.4.0<=7.4.2
Oracle Communications Design Studio=7.3.5
Oracle Communications Diameter Intelligence Hub>=8.0.0<=8.1.0
Oracle Communications Diameter Intelligence Hub>=8.2.0<=8.2.3
Oracle Communications Interactive Session Recorder=6.3
Oracle Communications Interactive Session Recorder=6.4
Oracle Communications Offline Mediation Controller=12.0.0.3
Oracle Communications Order and Service Management=7.3
Oracle Communications Order and Service Management=7.4
Oracle Communications Policy Management=12.5.0.0.0
Oracle Communications Pricing Design Center=12.0.0.4.0
Oracle Communications Pricing Design Center=12.0.0.5.0
Oracle Communications Service Broker=6.2
Oracle Enterprise Communications Broker=3.3
Oracle Enterprise Session Border Controller=8.4
Oracle Enterprise Session Border Controller=9.0
Oracle Financial Services Analytical Applications Infrastructure>=8.0.7<=8.1.1
Oracle Financial Services Model Management And Governance>=8.0.8<=8.1.1
Oracle FLEXCUBE Core Banking>=11.6.0<=11.8.0
Oracle FLEXCUBE Core Banking=5.2.0
Oracle FLEXCUBE Core Banking=11.10.0
Oracle Fusion Middleware MapViewer=12.2.1.4.0
Oracle Health Sciences Data Management Workbench=2.5.2.1
Oracle Health Sciences Data Management Workbench=3.0.0.0
Oracle Health Sciences Information Manager>=3.0.1<=3.0.4
Oracle Healthcare Data Repository=8.1.0
Oracle Helidon=1.4.7
Oracle Helidon=2.2.0
Oracle Insurance Policy Administration=11.0.2
Oracle Insurance Policy Administration=11.1.0
Oracle Insurance Policy Administration=11.2.8
Oracle Insurance Policy Administration=11.3.0
Oracle Insurance Policy Administration=11.3.1
Oracle Insurance Rules Palette=11.0.2
Oracle Insurance Rules Palette=11.1.0
Oracle Insurance Rules Palette=11.2.8
Oracle Insurance Rules Palette=11.3.0
Oracle Insurance Rules Palette=11.3.1
Oracle OSS Support Tools<2.12.42
Oracle Primavera Unifier>=17.7<=17.12
Oracle Primavera Unifier=18.8
Oracle Primavera Unifier=19.12
Oracle Primavera Unifier=20.12
Oracle Primavera Unifier=21.12
Oracle Real User Experience Insight=13.4.1.0
Oracle Real User Experience Insight=13.5.1.0
Oracle REST Data Services<21.2
Oracle REST Data Services=21.3
Oracle Retail Assortment Planning=16.0.3
Oracle Retail Integration Bus>=16.0.1<=16.0.3
Oracle Retail Integration Bus=13.0
Oracle Retail Integration Bus=14.1.3.0
Oracle Retail Integration Bus=14.1.3.2
Oracle Retail Integration Bus=15.0.3.1
Oracle Retail Integration Bus=19.0.0
Oracle Retail Integration Bus=19.0.1
Oracle Retail Merchandising System=16.0.3
Oracle Retail Merchandising System=19.0.1
Oracle Retail Order Broker=16.0
Oracle Retail Order Broker=18.0
Oracle Retail Order Broker=19.1
Oracle Retail Pricing=19.0.1
Oracle Retail Service Backbone>=16.0.1<=16.0.3
Oracle Retail Service Backbone=14.1.3.0
Oracle Retail Service Backbone=14.1.3.2
Oracle Retail Service Backbone=15.0.3.1
Oracle Retail Service Backbone=19.0.0
Oracle Retail Service Backbone=19.0.1
Oracle Retail Size Profile Optimization=16.0.3
Oracle Retail Xstore Point of Service=17.0.4
Oracle Retail Xstore Point of Service=18.0.3
Oracle Retail Xstore Point of Service=19.0.2
Oracle Retail Xstore Point of Service=20.0.1
Oracle Solaris Cluster=4.0
Oracle Utilities Testing Accelerator=6.0.0.1.1
Oracle Utilities Testing Accelerator=6.0.0.2.2
Oracle Utilities Testing Accelerator=6.0.0.3.1
Oracle WebCenter Portal=12.2.1.3.0
Oracle WebCenter Portal=12.2.1.4.0
Oracle WebLogic Server=12.1.3.0.0
Oracle WebLogic Server=12.2.1.3.0
Oracle WebLogic Server=12.2.1.4.0
Oracle WebLogic Server=14.1.1.0.0
NetApp Active Iq Unified Manager Linux
NetApp Active Iq Unified Manager Vmware Vsphere
NetApp Active Iq Unified Manager Windows
redhat/apache-commons-io<2.7
2.7

Remediation

Patch Available

https://lists.apache.org/thread.html/r2df50af2641d38f432ef025cd2ba5858215cc0cf3fc10396a674ad2e@%3Cpluto-scm.portals.apache.org%3E

Patch Available

https://lists.apache.org/thread.html/r4050f9f6b42ebfa47a98cbdee4aabed4bb5fb8093db7dbb88faceba2@%3Ccommits.zookeeper.apache.org%3E

Patch Available

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch Available

https://www.oracle.com/security-alerts/cpujan2022.html

Patch Available

https://www.oracle.com/security-alerts/cpujul2022.html

Event History

Apr 12, 2021
CVE Published
12:00 AM
Data Sourced
via Red Hatยท08:37 PM
DescriptionSeverityAffected Software
Apr 13, 2021
CVE Published
via MITREยท06:50 AM
Data Sourced
via MITREยท06:50 AM
DescriptionWeakness
Apr 26, 2021
Advisory Published
via GitHubยท04:04 PM
Jan 30, 2026
Data Sourced
via IBMยท12:00 AM
DescriptionAffected Software
Nov 8, 58339
Event
07:43 PM
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2021-29425?

CVE-2021-29425 is considered a high severity vulnerability due to its potential for directory traversal attacks.

2

How do I fix CVE-2021-29425?

You can mitigate CVE-2021-29425 by upgrading to the fixed versions of the affected packages listed in the Red Hat advisory.

3

What systems are affected by CVE-2021-29425?

CVE-2021-29425 affects multiple Red Hat Enterprise Application Platform components that utilize Apache Commons IO.

4

Can CVE-2021-29425 lead to data exposure?

Yes, CVE-2021-29425 can allow attackers to gain unauthorized access to arbitrary files on the system, potentially exposing sensitive information.

5

Is CVE-2021-29425 being actively exploited in the wild?

As of the last reports, there are indications that CVE-2021-29425 may be subject to active exploitation, targeting systems running the affected software.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
ยฉ 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203
CVE-2021-29425 - Possible limited path traversal vulnerabily in Apache Commons IO - SecAlerts