Ankush Rana created TIKA-3206:
---------------------------------
Summary: commons-io : 2.6, which is a transitive dependency of
tika is vulnerable to "sonatype-2018-0705".
Key: TIKA-3206
URL: https://issues.apache.org/jira/browse/TIKA-3206
Project: Tika
Issue Type: Bug
Affects Versions: 1.24.1, 1.24, 1.23
Reporter: Ankush Rana
Tika has embedded commons-io.2.6.jar which is vulnerable to
"sonatype-2018-0705".
h4. ISSUE
sonatype-2018-0705
h4. SEVERITY
Sonatype CVSS 3:7.8
CVE CVSS 2.0:0.0
h4. EXPLANATION
The {{commons-io}} package is vulnerable to Path Traversal. The
{{getPrefixLength}} method in {{FilenameUtils.class}} improperly verifies the
hostname value received from user input before processing client requests. An
attacker could abuse this behavior by crafting a special payload containing
unexpected characters that could allow the access to unintended resources.
h4. ROOT CAUSE
commons-io-2.6.jarorg/apache/commons/io/FilenameUtils.class[1.1 , 2.7-SNAPSHOT)
org-apache-commons-io-RELEASE113.jarorg/apache/commons/io/FilenameUtils.class[1.1
, 2.7-SNAPSHOT)
h4. ADVISORIES
Project:[https://github.com/apache/commons-io/pull/52]
Project:https://issues.apache.org/jira/browse/IO-556
Project:https://issues.apache.org/jira/browse/IO-559
h4. CVSS DETAILS
Sonatype CVSS 3:7.8
CVSS Vector:CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
