**Affects PMD Version: All versions that use commons-io in version 2.6.
All versions are affected by a vulnerability due to dependency commons-io used in this project.
This project uses the commons-io dependency in version 2.6 that has the vulnerability reported on CVE-2021-29425.
Description:
In Apache Commons IO before 2.7, when invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "..\foo", the result would be the same value, thus possibly providing access to files in the parent directory. But not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
Details:
Suggest Fix:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425
Release Date: 2021-04-13
Fix Resolution: commons-io:commons-io:2.7
Vulnerability Evidence:
https://github.com/pmd/pmd/blob/master/pom.xml#L710
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4