[ https://issues.apache.org/jira/browse/MSHARED-979?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sylwester Lachiewicz updated MSHARED-979: ----------------------------------------- Component/s: maven-shared-utils > maven-shared-components uses commons-io 2.6 which is vulnerable to > sonatype-2018-0705 > ------------------------------------------------------------------------------------- > > Key: MSHARED-979 > URL: https://issues.apache.org/jira/browse/MSHARED-979 > Project: Maven Shared Components > Issue Type: Bug > Components: maven-shared-utils > Affects Versions: maven-shared-utils-3.3.3 > Reporter: Scott Marshall > Priority: Major > > maven-shared-components uses commons-io 2.6 which is vulnerable to > sonatype-2018-0705 > h4. ISSUE > sonatype-2018-0705 > h4. SEVERITY > Sonatype CVSS 3:7.8 > CVE CVSS 2.0:0.0 > > h4. EXPLANATION > The {{commons-io}} package is vulnerable to Path Traversal. The > {{getPrefixLength}} method in {{FilenameUtils.class}} improperly verifies the > hostname value received from user input before processing client requests. An > attacker could abuse this behavior by crafting a special payload containing > unexpected characters that could allow the access to unintended resources. > h4. ROOT CAUSE > commons-io-2.6.jarorg/apache/commons/io/FilenameUtils.class[1.1 , > 2.7-SNAPSHOT) > org-apache-commons-io-RELEASE113.jarorg/apache/commons/io/FilenameUtils.class[1.1 > , 2.7-SNAPSHOT) > > h4. ADVISORIES > Project:[https://github.com/apache/commons-io/pull/52] > Project:https://issues.apache.org/jira/browse/IO-556 > Project:https://issues.apache.org/jira/browse/IO-559 > h4. CVSS DETAILS > Sonatype CVSS 3:7.8 > CVSS Vector:CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H -- This message was sent by Atlassian Jira (v8.3.4#803005)