Kevin Su created SUBMARINE-944:
----------------------------------
Summary: Bump io:commons-io to 2.11
Key: SUBMARINE-944
URL: https://issues.apache.org/jira/browse/SUBMARINE-944
Project: Apache Submarine
Issue Type: Improvement
Components: Commons
Reporter: Kevin Su
Assignee: Kevin Su
Fix For: 0.6.0
h5. [CVE-2021-29425|https://github.com/advisories/GHSA-gwrp-pvrq-jmwv]
*Vulnerable versions:* < 2.7
*Patched version:* 2.7
In Apache Commons IO before 2.7, When invoking the method
FileNameUtils.normalize with an improper input string, like "//../foo", or
"\..\foo", the result would be the same value, thus possibly providing access
to files in the parent directory, but not further above (thus "limited" path
traversal), if the calling code would use the result to construct a path value.
[https://github.com/apache/submarine/security/dependabot/pom.xml/commons-io:commons-io/open]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
