[jira] [Updated] (MSHARED-979) maven-shared-components uses commons-io 2.6 which is vulnerable to sonatype-2018-0705
[
https://issues.apache.org/jira/browse/MSHARED-979?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Osipov updated MSHARED-979:
---
Fix Version/s: maven-shared-utils-4.0.0
> maven-shared-components uses commons-io 2.6 which is vulnerable to
> sonatype-2018-0705
> -
>
> Key: MSHARED-979
> URL: https://issues.apache.org/jira/browse/MSHARED-979
> Project: Maven Shared Components
> Issue Type: Bug
> Components: maven-shared-utils
>Affects Versions: maven-shared-utils-3.3.3
>Reporter: Scott Marshall
>Assignee: Michael Osipov
>Priority: Major
> Labels: Java8
> Fix For: maven-shared-utils-4.0.0
>
>
> maven-shared-components uses commons-io 2.6 which is vulnerable to
> sonatype-2018-0705
> h4. ISSUE
> sonatype-2018-0705
> h4. SEVERITY
> Sonatype CVSS 3:7.8
> CVE CVSS 2.0:0.0
>
> h4. EXPLANATION
> The {{commons-io}} package is vulnerable to Path Traversal. The
> {{getPrefixLength}} method in {{FilenameUtils.class}} improperly verifies the
> hostname value received from user input before processing client requests. An
> attacker could abuse this behavior by crafting a special payload containing
> unexpected characters that could allow the access to unintended resources.
> h4. ROOT CAUSE
> commons-io-2.6.jarorg/apache/commons/io/FilenameUtils.class[1.1 ,
> 2.7-SNAPSHOT)
> org-apache-commons-io-RELEASE113.jarorg/apache/commons/io/FilenameUtils.class[1.1
> , 2.7-SNAPSHOT)
>
> h4. ADVISORIES
> Project:[https://github.com/apache/commons-io/pull/52]
> Project:https://issues.apache.org/jira/browse/IO-556
> Project:https://issues.apache.org/jira/browse/IO-559
> h4. CVSS DETAILS
> Sonatype CVSS 3:7.8
> CVSS Vector:CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (MSHARED-979) maven-shared-components uses commons-io 2.6 which is vulnerable to sonatype-2018-0705
[
https://issues.apache.org/jira/browse/MSHARED-979?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sylwester Lachiewicz updated MSHARED-979:
-
Labels: Java8 (was: )
> maven-shared-components uses commons-io 2.6 which is vulnerable to
> sonatype-2018-0705
> -
>
> Key: MSHARED-979
> URL: https://issues.apache.org/jira/browse/MSHARED-979
> Project: Maven Shared Components
> Issue Type: Bug
> Components: maven-shared-utils
>Affects Versions: maven-shared-utils-3.3.3
>Reporter: Scott Marshall
>Priority: Major
> Labels: Java8
>
> maven-shared-components uses commons-io 2.6 which is vulnerable to
> sonatype-2018-0705
> h4. ISSUE
> sonatype-2018-0705
> h4. SEVERITY
> Sonatype CVSS 3:7.8
> CVE CVSS 2.0:0.0
>
> h4. EXPLANATION
> The {{commons-io}} package is vulnerable to Path Traversal. The
> {{getPrefixLength}} method in {{FilenameUtils.class}} improperly verifies the
> hostname value received from user input before processing client requests. An
> attacker could abuse this behavior by crafting a special payload containing
> unexpected characters that could allow the access to unintended resources.
> h4. ROOT CAUSE
> commons-io-2.6.jarorg/apache/commons/io/FilenameUtils.class[1.1 ,
> 2.7-SNAPSHOT)
> org-apache-commons-io-RELEASE113.jarorg/apache/commons/io/FilenameUtils.class[1.1
> , 2.7-SNAPSHOT)
>
> h4. ADVISORIES
> Project:[https://github.com/apache/commons-io/pull/52]
> Project:https://issues.apache.org/jira/browse/IO-556
> Project:https://issues.apache.org/jira/browse/IO-559
> h4. CVSS DETAILS
> Sonatype CVSS 3:7.8
> CVSS Vector:CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Updated] (MSHARED-979) maven-shared-components uses commons-io 2.6 which is vulnerable to sonatype-2018-0705
[
https://issues.apache.org/jira/browse/MSHARED-979?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sylwester Lachiewicz updated MSHARED-979:
-
Component/s: maven-shared-utils
> maven-shared-components uses commons-io 2.6 which is vulnerable to
> sonatype-2018-0705
> -
>
> Key: MSHARED-979
> URL: https://issues.apache.org/jira/browse/MSHARED-979
> Project: Maven Shared Components
> Issue Type: Bug
> Components: maven-shared-utils
>Affects Versions: maven-shared-utils-3.3.3
>Reporter: Scott Marshall
>Priority: Major
>
> maven-shared-components uses commons-io 2.6 which is vulnerable to
> sonatype-2018-0705
> h4. ISSUE
> sonatype-2018-0705
> h4. SEVERITY
> Sonatype CVSS 3:7.8
> CVE CVSS 2.0:0.0
>
> h4. EXPLANATION
> The {{commons-io}} package is vulnerable to Path Traversal. The
> {{getPrefixLength}} method in {{FilenameUtils.class}} improperly verifies the
> hostname value received from user input before processing client requests. An
> attacker could abuse this behavior by crafting a special payload containing
> unexpected characters that could allow the access to unintended resources.
> h4. ROOT CAUSE
> commons-io-2.6.jarorg/apache/commons/io/FilenameUtils.class[1.1 ,
> 2.7-SNAPSHOT)
> org-apache-commons-io-RELEASE113.jarorg/apache/commons/io/FilenameUtils.class[1.1
> , 2.7-SNAPSHOT)
>
> h4. ADVISORIES
> Project:[https://github.com/apache/commons-io/pull/52]
> Project:https://issues.apache.org/jira/browse/IO-556
> Project:https://issues.apache.org/jira/browse/IO-559
> h4. CVSS DETAILS
> Sonatype CVSS 3:7.8
> CVSS Vector:CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
