[jira] [Updated] (TEZ-4353) Update commons-io to 2.7

D M Murali Krishna Reddy (Jira) Tue, 16 Nov 2021 00:04:07 -0800


     [ 
https://issues.apache.org/jira/browse/TEZ-4353?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


D M Murali Krishna Reddy updated TEZ-4353:
------------------------------------------
    Affects Version/s: 0.10.0

> Update commons-io to 2.7
> ------------------------
>
>                 Key: TEZ-4353
>                 URL: https://issues.apache.org/jira/browse/TEZ-4353
>             Project: Apache Tez
>          Issue Type: Improvement
>    Affects Versions: 0.10.0
>            Reporter: D M Murali Krishna Reddy
>            Priority: Major
>
> [https://nvd.nist.gov/vuln/detail/CVE-2021-29425]
> In Apache Commons IO before 2.7, When invoking the method 
> FileNameUtils.normalize with an improper input string, like "//../foo", or 
> "\\..\foo", the result would be the same value, thus possibly providing 
> access to files in the parent directory, but not further above (thus 
> "limited" path traversal), if the calling code would use the result to 
> construct a path value.
> It is better to upgrade from 2.4 to 2.7 to fix the vulnerability.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Updated] (TEZ-4353) Update commons-io to 2.7

Reply via email to