[
https://issues.apache.org/jira/browse/CODEC-318?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17823216#comment-17823216
]
Gary D. Gregory commented on CODEC-318:
---------------------------------------
[~arthur.chan]
If you want to report a vulnerability, you must follow
[https://commons.apache.org/security.html]
TY
> Possible path traversal vulnerability in the Digest class CLI
> -------------------------------------------------------------
>
> Key: CODEC-318
> URL: https://issues.apache.org/jira/browse/CODEC-318
> Project: Commons Codec
> Issue Type: Improvement
> Reporter: Sheung Chi Chan
> Priority: Trivial
>
> The {{Digest}} class in the {{cli}} package provides a CLI for calculating a
> message digest with the support of {{DigestUtils}} class. The CLI takes in a
> list of arguments from the users and stores them, assuming all the arguments
> are local file paths for message digestion calculation. These file paths are
> stored as object variables and are processed one by one in the run method.
> The run method opens each of the file paths, reads the content and calculates
> message digests using the {{DigestUtils}} class. All file paths are never
> checked nor sanitized and are directly passed and controlled by the CLI
> users. This opens up vulnerability for path traversal attacks because the
> user of the CLI has full control of the path string. Considering that Apache
> Commons Codec is meant to be used as a library by a general developer, the
> existence of a vulnerable CLI in the library could open up the path traversal
> vulnerability to an attacker on any application adopting the libraries and
> gain illegal access in the execution environment.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
