[ https://issues.apache.org/jira/browse/DRILL-7910?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Cong Luo resolved DRILL-7910. ----------------------------- Reviewer: Cong Luo Resolution: Fixed > Bumps commons-io from 2.4 to 2.7 > -------------------------------- > > Key: DRILL-7910 > URL: https://issues.apache.org/jira/browse/DRILL-7910 > Project: Apache Drill > Issue Type: Bug > Affects Versions: 1.18.0 > Reporter: Charles Givre > Assignee: Charles Givre > Priority: Major > Fix For: 1.19.0 > > > This fix addresses CVE-2021-29425. > In Apache Commons IO before 2.7, When invoking the method > FileNameUtils.normalize with an improper input string, like "//../foo", or > "\..\foo", the result would be the same value, thus possibly providing access > to files in the parent directory, but not further above (thus "limited" path > traversal), if the calling code would use the result to construct a path > value. > Simple solution is to update the library. -- This message was sent by Atlassian Jira (v8.3.4#803005)