[ https://issues.apache.org/jira/browse/TIKA-3206?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17204914#comment-17204914 ]
Tim Allison commented on TIKA-3206: ----------------------------------- Thank you for opening this issue. We've already upgraded to 2.7 in {{branch_1x}} and {{main}}. That fix will be out with the 1.25 release. > commons-io : 2.6, which is a transitive dependency of tika is vulnerable to > "sonatype-2018-0705". > ------------------------------------------------------------------------------------------------- > > Key: TIKA-3206 > URL: https://issues.apache.org/jira/browse/TIKA-3206 > Project: Tika > Issue Type: Bug > Affects Versions: 1.23, 1.24, 1.24.1 > Reporter: Ankush Rana > Priority: Major > > Tika has embedded commons-io.2.6.jar which is vulnerable to > "sonatype-2018-0705". > h4. ISSUE > sonatype-2018-0705 > h4. SEVERITY > Sonatype CVSS 3:7.8 > CVE CVSS 2.0:0.0 > > h4. EXPLANATION > The {{commons-io}} package is vulnerable to Path Traversal. The > {{getPrefixLength}} method in {{FilenameUtils.class}} improperly verifies the > hostname value received from user input before processing client requests. An > attacker could abuse this behavior by crafting a special payload containing > unexpected characters that could allow the access to unintended resources. > h4. ROOT CAUSE > commons-io-2.6.jarorg/apache/commons/io/FilenameUtils.class[1.1 , > 2.7-SNAPSHOT) > org-apache-commons-io-RELEASE113.jarorg/apache/commons/io/FilenameUtils.class[1.1 > , 2.7-SNAPSHOT) > > h4. ADVISORIES > Project:[https://github.com/apache/commons-io/pull/52] > Project:https://issues.apache.org/jira/browse/IO-556 > Project:https://issues.apache.org/jira/browse/IO-559 > h4. CVSS DETAILS > Sonatype CVSS 3:7.8 > CVSS Vector:CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H -- This message was sent by Atlassian Jira (v8.3.4#803005)