Details
Description
https://nvd.nist.gov/vuln/detail/CVE-2021-29425
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
We don't use this API in the Hadoop code, but it's still good to update anyway (we're on 2.5, which is 4 years old)
Attachments
Issue Links
- breaks
-
MAPREDUCE-7348 TestFrameworkUploader#testNativeIO fails
- Resolved
- is related to
-
HADOOP-17972 Backport HADOOP-17683 for branch-3.2
- Resolved
- links to