zhou yong created FLUME-3400:
--------------------------------
Summary: The commons-io version used by flume is 2.1, which is
vulnerabel.
Key: FLUME-3400
URL: https://issues.apache.org/jira/browse/FLUME-3400
Project: Flume
Issue Type: Wish
Components: Node
Affects Versions: 1.9.0
Reporter: zhou yong
Fix For: notrack
flume-ng-core-1.9.0 、flume-parent requires the commons-io component, and the
required version is as follows:
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>2.1</version>
</dependency>
I think we should upgrade commons-io to its latest version: 2.8.0. The reasons
are as follows:
The
[CVE-2021-29425|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425]
vulnerability exists in commons-io-2.1: In Apache Commons IO before 2.7, When
invoking the method FileNameUtils.normalize with an improper input string, like
"//../foo", or "\\..\foo", the result would be the same value, thus possibly
providing access to files in the parent directory, but not further above (thus
"limited" path traversal), if the calling code would use the result to
construct a path value. For details
see:https://nvd.nist.gov/vuln/detail/CVE-2021-29425#vulnCurrentDescriptionTitle
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
