[
https://issues.apache.org/jira/browse/FLUME-3400?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sean Busbey reassigned FLUME-3400:
----------------------------------
Assignee: Ralph Goers
> The commons-io version used by flume is 2.1, which is vulnerabel.
> -----------------------------------------------------------------
>
> Key: FLUME-3400
> URL: https://issues.apache.org/jira/browse/FLUME-3400
> Project: Flume
> Issue Type: Wish
> Components: Node
> Affects Versions: 1.9.0
> Reporter: zhou yong
> Assignee: Ralph Goers
> Priority: Blocker
> Fix For: 1.10.0
>
>
> flume-ng-core-1.9.0 、flume-parent requires the commons-io component, and the
> required version is as follows:
> <dependency>
> <groupId>commons-io</groupId>
> <artifactId>commons-io</artifactId>
> <version>2.1</version>
> </dependency>
> I think we should upgrade commons-io to its latest version: 2.8.0. The
> reasons are as follows:
> The
> [CVE-2021-29425|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425]
> vulnerability exists in commons-io-2.1: In Apache Commons IO before 2.7,
> When invoking the method FileNameUtils.normalize with an improper input
> string, like "//../foo", or "\\..\foo", the result would be the same value,
> thus possibly providing access to files in the parent directory, but not
> further above (thus "limited" path traversal), if the calling code would use
> the result to construct a path value. For details
> see:https://nvd.nist.gov/vuln/detail/CVE-2021-29425#vulnCurrentDescriptionTitle
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
