Wei-Chiu Chuang created HADOOP-17683:
----------------------------------------
Summary: Update commons-io to 2.8.0
Key: HADOOP-17683
URL: https://issues.apache.org/jira/browse/HADOOP-17683
Project: Hadoop Common
Issue Type: Task
Reporter: Wei-Chiu Chuang
https://nvd.nist.gov/vuln/detail/CVE-2021-29425
In Apache Commons IO before 2.7, When invoking the method
FileNameUtils.normalize with an improper input string, like "//../foo", or
"\\..\foo", the result would be the same value, thus possibly providing access
to files in the parent directory, but not further above (thus "limited" path
traversal), if the calling code would use the result to construct a path value.
We don't use this API in the Hadoop code, but it's still good to update anyway
(we're on 2.5, which is 4 years old)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-dev-h...@hadoop.apache.org
