Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <feeee9a5-f774-6b87-ca7d-df57abc0ea02@apache.org>
Date: Sun, 23 Mar 2025 13:29:52 +0000
From: "Gary D. Gregory" <ggregory@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-27553: Apache Commons VFS: Possible path traversal issue
 when using NameScope.DESCENDENT 

Severity: low

Affected versions:

- Apache Commons VFS before 2.10.0

Description:

Relative Path Traversal vulnerability in Apache Commons VFS before 2.10.0.

The FileObject API in Commons VFS has a 'resolveFile' method that
takes a 'scope' parameter. Specifying 'NameScope.DESCENDENT' promises that "an exception is thrown if the resolved file is not a descendent of
the base file". However, when the path contains encoded ".."
characters (for example, "%2E%2E/bar.txt"), it might return file objects that are not
a descendent of the base file, without throwing an exception.
This issue affects Apache Commons VFS: before 2.10.0.

Users are recommended to upgrade to version 2.10.0, which fixes the issue.

Credit:

Arnout Engelen (finder)

References:

https://commons.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-27553

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.