[
https://issues.apache.org/jira/browse/SUBMARINE-944?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kai-Hsun Chen resolved SUBMARINE-944.
-------------------------------------
Resolution: Fixed
> Bump io:commons-io to 2.11
> --------------------------
>
> Key: SUBMARINE-944
> URL: https://issues.apache.org/jira/browse/SUBMARINE-944
> Project: Apache Submarine
> Issue Type: Improvement
> Components: Commons
> Reporter: Kevin Su
> Assignee: Kevin Su
> Priority: Major
> Labels: pull-request-available
> Fix For: 0.6.0
>
>
> h5. [CVE-2021-29425|https://github.com/advisories/GHSA-gwrp-pvrq-jmwv]
> *Vulnerable versions:* < 2.7
> *Patched version:* 2.7
> In Apache Commons IO before 2.7, When invoking the method
> FileNameUtils.normalize with an improper input string, like "//../foo", or
> "\..\foo", the result would be the same value, thus possibly providing access
> to files in the parent directory, but not further above (thus "limited" path
> traversal), if the calling code would use the result to construct a path
> value.
> [https://github.com/apache/submarine/security/dependabot/pom.xml/commons-io:commons-io/open]
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@submarine.apache.org
For additional commands, e-mail: dev-h...@submarine.apache.org
