Vulnerabilities Details

  • Home
  • Vulnerabilities Details

ZMC-2021.04.21.0420

apache-commons-io: Access confidential data - Existing account

Operating System:

[WIN][UNIX/LINUX]

Published:

21st April 2021

VulnerabilitiesZMC-2021.04.21.0420 ZMC-2021.04.21.0420 


===========================================================================
                         ZMCIRT Vulnerability Bulletin

                             ZMC-2021.04.21.0420
        apache-commons-io: Access confidential data - Existing account
                               21st April 2021

===========================================================================

Product:           apache-commons-io
Publisher:         SUSE
Operating System:  SUSE
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Access Confidential Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-29425  

Original Bulletin: 
   https://www.suse.com/support/update/announcement/2021/suse-su-20211282-1

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than SUSE. It is recommended that administrators 
         running apache-commons-io check for an updated version of the 
         software for their operating system.


SUSE Security Update: Security update for apache-commons-io

______________________________________________________________________________

Announcement ID:   SUSE-SU-2021:1282-1
Rating:            moderate
References:        #1184755
Cross-References:  CVE-2021-29425
Affected Products:
                   SUSE Linux Enterprise Module for Basesystem 15-SP2
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for apache-commons-io fixes the following issues:

  o CVE-2021-29425: Limited path traversal when invoking the method
    FileNameUtils.normalize with an improper input string (bsc#1184755)

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  o SUSE Linux Enterprise Module for Basesystem 15-SP2:
    zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1282=1

Package List:

  o SUSE Linux Enterprise Module for Basesystem 15-SP2 (noarch):
       apache-commons-io-2.6-3.3.1


References:

  o https://www.suse.com/security/cve/CVE-2021-29425.html
  o https://bugzilla.suse.com/1184755


 
ZMCIRT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. ZMCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Internet Email: report@cirt.zm     
Telephone:     7070 
                ZMCIRT personnel answer during Zambian business hours 
                which are 8am to 5pm.
                On call after hours for member emergencies only.
===========================================================================

Copyright @2023 ZAMBIA CIRT