CVE-2021-29425
Path Traversal vulnerability in commons-io:commons-io
What is CVE-2021-29425 About?
This is a limited path traversal vulnerability in Apache Commons IO, specifically in the FileNameUtils.normalize method. An attacker can supply an improper input string, like "//../foo", which results in similar output, potentially allowing access to files in a parent directory. While it enables access to the parent folder, it does not allow further traversal, making it 'limited.' Exploitation is moderately easy for an attacker who can control inputs to the `normalize` function.
Affected Software
- commons-io:commons-io
- <2.7
- com.cosium.vet:vet
- >1.0, <=3.22
- com.virjar:ratel-api
- >1.0.0, <=1.3.6
- net.hasor:cobble-lang
- >4.4.1, <=4.6.2
- org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-io
- >1.4, <=1.5
- org.checkerframework.annotatedlib:commons-io
- >2.6, <2.7
- org.smartboot.servlet:servlet-core
- >0.1.9, <=0.6
Technical Details
A limited path traversal vulnerability exists in Apache Commons IO versions prior to 2.7, specifically within the `FileNameUtils.normalize` method. When this method is invoked with an improperly constructed input string such as "//../foo" or "\\..\foo", it fails to normalize these paths correctly. Instead of resolving to the intended directory, the method returns a string that still includes the '..' component relative to a specific base. If the calling code subsequently uses this unnormalized result to construct a file path, it could inadvertently allow access to files located in an immediate parent directory, thereby constituting a 'limited' path traversal because it cannot traverse higher up the directory tree.
What is the Impact of CVE-2021-29425?
Successful exploitation may allow attackers to access and potentially read or modify files in an immediate parent directory of the intended target, leading to information disclosure or unauthorized data alteration.
What is the Exploitability of CVE-2021-29425?
Exploitation requires an attacker to provide a malformed path string to an application that uses `FileNameUtils.normalize` in Apache Commons IO. The attacker must control the input to this `normalize` function. No specific authentication or privilege levels are explicitly mentioned, implying that if an application allows unauthenticated input to affect path resolution, it could be exploited by anyone. This is typically a remote vulnerability if the application exposes a web interface or API where path inputs can be provided. The complexity lies in identifying where an application uses `FileNameUtils.normalize` and how to inject the specific "//../foo" or similar string effectively. The vulnerability is limited as it only allows traversal to the immediate parent directory, not arbitrary directories.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| arsalanraja987 | Link | PoC for CVE-2021-29425 |
| shoucheng3 | Link | PoC for CVE-2021-29425 |
What are the Available Fixes for CVE-2021-29425?
About the Fix from Resolved Security
The patch adds strict validation for hostnames in UNC paths by ensuring they conform to IP address (IPv4/IPv6) or RFC 3986 "reg-name" syntax, rejecting disallowed cases like names starting with a dash, dots, or special character sequences. This prevents path normalization from misinterpreting or accepting malicious UNC paths, fixing CVE-2021-29425 by blocking crafted inputs that could trigger directory traversal or bypass security controls.
Available Upgrade Options
- org.checkerframework.annotatedlib:commons-io
- >2.6, <2.7 → Upgrade to 2.7
- commons-io:commons-io
- <2.7 → Upgrade to 2.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://lists.apache.org/thread.html/r8569a41d565ca880a4dee0e645dad1cd17ab4a92e68055ad9ebb7375%40%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/rfa2f08b7c0caf80ca9f4a18bd875918fdd4e894e2ea47942a4589b9c@%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/r462db908acc1e37c455e11b1a25992b81efd18e641e7e0ceb1b6e046@%3Cnotifications.zookeeper.apache.org%3E
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://lists.apache.org/thread.html/raa053846cae9d497606027816ae87b4e002b2e0eb66cb0dee710e1f5@%3Cdev.creadur.apache.org%3E
- https://issues.apache.org/jira/browse/IO-556
- https://lists.apache.org/thread.html/r8bfc7235e6b39d90e6f446325a5a44c3e9e50da18860fdabcee23e29@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r477c285126ada5c3b47946bb702cb222ac4e7fd3100c8549bdd6d3b2%40%3Cissues.zookeeper.apache.org%3E
- https://security.netapp.com/advisory/ntap-20220210-0004
What are Similar Vulnerabilities to CVE-2021-29425?
Similar Vulnerabilities: CVE-2022-27775 , CVE-2022-25647 , CVE-2021-36189 , CVE-2020-13936 , CVE-2019-17558
