{"id":"CVE-2021-29425","details":"In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like \"//../foo\", or \"\\\\..\\foo\", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus \"limited\" path traversal), if the calling code would use the result to construct a path value.","aliases":["GHSA-gwrp-pvrq-jmwv"],"modified":"2026-04-10T04:32:01.206162Z","published":"2021-04-13T07:15:12.327Z","related":["SUSE-SU-2021:1282-1","SUSE-SU-2021:1315-1","openSUSE-SU-2021:0605-1","openSUSE-SU-2024:12099-1"],"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/raa053846cae9d497606027816ae87b4e002b2e0eb66cb0dee710e1f5%40%3Cdev.creadur.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rfa2f08b7c0caf80ca9f4a18bd875918fdd4e894e2ea47942a4589b9c%40%3Cdev.creadur.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r01b4a1fcdf3311c936ce33d75a9398b6c255f00c1a2f312ac21effe1%40%3Cnotifications.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r345330b7858304938b7b8029d02537a116d75265a598c98fa333504a%40%3Cdev.creadur.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r477c285126ada5c3b47946bb702cb222ac4e7fd3100c8549bdd6d3b2%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r47ab6f68cbba8e730f42c4ea752f3a44eb95fb09064070f2476bb401%40%3Cdev.creadur.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r808be7d93b17a7055c1981a8453ae5f0d0fce5855407793c5d0ffffa%40%3Cuser.commons.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r523a6ffad58f71c4f3761e3cee72df878e48cdc89ebdce933be1475c%40%3Cdev.creadur.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/ra8ef65aedc086d2d3d21492b4c08ae0eb8a3a42cc52e29ba1bc009d8%40%3Cdev.creadur.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rad4ae544747df32ccd58fff5a86cd556640396aeb161aa71dd3d192a%40%3Cuser.commons.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/red3aea910403d8620c73e1c7b9c9b145798d0469eb3298a7be7891af%40%3Cnotifications.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r873d5ddafc0a68fd999725e559776dc4971d1ab39c0f5cc81bd9bc04%40%3Ccommits.pulsar.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rc5f3df5316c5237b78a3dff5ab95b311ad08e61d418cd992ca7e34ae%40%3Cnotifications.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rd09d4ab3e32e4b3a480e2ff6ff118712981ca82e817f28f2a85652a6%40%3Cnotifications.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r86528f4b7d222aed7891e7ac03d69a0db2a2dfa17b86ac3470d7f374%40%3Cnotifications.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rc2dd3204260e9227a67253ef68b6f1599446005bfa0e1ddce4573a80%40%3Cpluto-dev.portals.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r1c2f4683c35696cf6f863e3c107e37ec41305b1930dd40c17260de71%40%3Ccommits.pulsar.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r2df50af2641d38f432ef025cd2ba5858215cc0cf3fc10396a674ad2e%40%3Cpluto-scm.portals.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r8bfc7235e6b39d90e6f446325a5a44c3e9e50da18860fdabcee23e29%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r8efcbabde973ea72f5e0933adc48ef1425db5cde850bf641b3993f31%40%3Cdev.commons.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r92ea904f4bae190b03bd42a4355ce3c2fbe8f36ab673e03f6ca3f9fa%40%3Cnotifications.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rbebd3e19651baa7a4a5503a9901c95989df9d40602c8e35cb05d3eb5%40%3Cdev.creadur.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rca71a10ca533eb9bfac2d590533f02e6fb9064d3b6aa3ec90fdc4f51%40%3Cnotifications.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r0d73e2071d1f1afe1a15da14c5b6feb2cf17e3871168d5a3c8451436%40%3Ccommits.pulsar.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r5149f78be265be69d34eacb4e4b0fc7c9c697bcdfa91a1c1658d717b%40%3Cissues.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/re41e9967bee064e7369411c28f0f5b2ad28b8334907c9c6208017279%40%3Cnotifications.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rfcd2c649c205f12b72dde044f905903460669a220a2eb7e12652d19d%40%3Cdev.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rfd01af05babc95b8949e6d8ea78d9834699e1b06981040dde419a330%40%3Cdev.commons.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r0bfa8f7921abdfae788b1f076a12f73a92c93cc0a6e1083bce0027c5%40%3Cnotifications.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r20416f39ca7f7344e7d76fe4d7063bb1d91ad106926626e7e83fb346%40%3Cnotifications.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r2345b49dbffa8a5c3c589c082fe39228a2c1d14f11b96c523da701db%40%3Cnotifications.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r8569a41d565ca880a4dee0e645dad1cd17ab4a92e68055ad9ebb7375%40%3Cdev.creadur.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rc10fa20ef4d13cbf6ebe0b06b5edb95466a1424a9b7673074ed03260%40%3Cnotifications.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rc65f9bc679feffe4589ea0981ee98bc0af9139470f077a91580eeee0%40%3Cpluto-dev.portals.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r27b1eedda37468256c4bb768fde1e8b79b37ec975cbbfd0d65a7ac34%40%3Cdev.myfaces.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r2bc986a070457daca457a54fe71ee09d2584c24dc262336ca32b6a19%40%3Cdev.creadur.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r4050f9f6b42ebfa47a98cbdee4aabed4bb5fb8093db7dbb88faceba2%40%3Ccommits.zookeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r462db908acc1e37c455e11b1a25992b81efd18e641e7e0ceb1b6e046%40%3Cnotifications.zookeeper.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/08/msg00016.html"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20220210-0004/"},{"type":"REPORT","url":"https://issues.apache.org/jira/browse/IO-556"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/commons-io","events":[{"introduced":"0"},{"last_affected":"a73895fbefd57c23595a5e9e85f0649993c59080"},{"introduced":"0"},{"last_affected":"266bcc4d5d0fbd230756539f93acd9fc5ddd2c5c"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.10.0"},{"introduced":"0"},{"last_affected":"2.12.0"}]}},{"type":"GIT","repo":"https://github.com/oracle/helidon","events":[{"introduced":"0"},{"last_affected":"c6979cb5f47afb40b1920ba37f219eeae7f4eef1"},{"introduced":"0"},{"last_affected":"69812d43c53e4f777cf872c176a4a0221ee83366"},{"introduced":"0"},{"last_affected":"c51cf34df1c7aa4cebe165c13525bcd492912288"},{"introduced":"0"},{"last_affected":"baa3fdbff8fee60a833490c0f95bbc1f39b15e05"},{"introduced":"0"},{"last_affected":"a20fe937749cf1b42701a24b7de4ad941b738cba"},{"introduced":"0"},{"last_affected":"101f1aaf0f9c993eb1da721dc0e5494627b4ce6b"},{"introduced":"69812d43c53e4f777cf872c176a4a0221ee83366"},{"last_affected":"c51cf34df1c7aa4cebe165c13525bcd492912288"},{"introduced":"69812d43c53e4f777cf872c176a4a0221ee83366"},{"last_affected":"50239a037d2d1eae463f43a4cfa7446e954ae295"},{"introduced":"0"},{"last_affected":"101f1aaf0f9c993eb1da721dc0e5494627b4ce6b"},{"introduced":"0"},{"last_affected":"6f5d627c15ceecb8afb3302a805a60a4da4b8f42"},{"introduced":"0"},{"last_affected":"1c8537d139dc2e4e4e0114c0bf9aa3524be4b7eb"},{"introduced":"0"},{"last_affected":"c6979cb5f47afb40b1920ba37f219eeae7f4eef1"},{"introduced":"0"},{"last_affected":"ce8c23320fd96326b93bce39a389814cdf6b1b1a"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.2-NA"},{"introduced":"0"},{"last_affected":"2.3-NA"},{"introduced":"0"},{"last_affected":"2.4-NA"},{"introduced":"0"},{"last_affected":"2.5-NA"},{"introduced":"0"},{"last_affected":"2.6-NA"},{"introduced":"0"},{"last_affected":"2.6.2"},{"introduced":"2.3.0"},{"last_affected":"2.4.0"},{"introduced":"2.3.0"},{"last_affected":"2.4.1"},{"introduced":"0"},{"last_affected":"2.6.2"},{"introduced":"0"},{"last_affected":"1.4.0"},{"introduced":"0"},{"last_affected":"1.4.7"},{"introduced":"0"},{"last_affected":"2.2.0"},{"introduced":"0"},{"last_affected":"4.0"}]}}],"versions":["1.4.0","1.4.7","2.2.0","2.3.0","2.4.0","2.4.1","2.5.0","2.6.0","2.6.2","4.0.0","commons-io-2.10.0-RC1","commons-io-2.12.0-RC1","commons-io-2.12.0-RC2","commons-io-2.6","commons-io-2.6-RC3","commons-io-2.7-RC1","commons-io-2.8.0-RC1","commons-io-2.8.0-RC2","commons-io-2.9.0-RC1","rel/commons-io-2.10.0","rel/commons-io-2.12.0","rel/commons-io-2.7","rel/commons-io-2.8.0","rel/commons-io-2.9.0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.2.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"6.2.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.3.6"}]},{"events":[{"introduced":"0"},{"last_affected":"13.4.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"13.5.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"13.3.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"18.1"}]},{"events":[{"introduced":"0"},{"last_affected":"18.2"}]},{"events":[{"introduced":"0"},{"last_affected":"18.3"}]},{"events":[{"introduced":"0"},{"last_affected":"19.1"}]},{"events":[{"introduced":"0"},{"last_affected":"19.2"}]},{"events":[{"introduced":"0"},{"last_affected":"20.1"}]},{"events":[{"introduced":"0"},{"last_affected":"21.1"}]},{"events":[{"introduced":"0"},{"last_affected":"17.2"}]},{"events":[{"introduced":"0"},{"last_affected":"18.1"}]},{"events":[{"introduced":"0"},{"last_affected":"18.3"}]},{"events":[{"introduced":"0"},{"last_affected":"19.1"}]},{"events":[{"introduced":"0"},{"last_affected":"19.2"}]},{"events":[{"introduced":"0"},{"last_affected":"20.1"}]},{"events":[{"introduced":"0"},{"last_affected":"21.1"}]},{"events":[{"introduced":"0"},{"last_affected":"2.7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"2.7.1"}]},{"events":[{"introduced":"0"},{"last_affected":"2.7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"2.7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"2.7.1"}]},{"events":[{"introduced":"0"},{"fixed":"21.1.2"}]},{"events":[{"introduced":"0"},{"last_affected":"11.3.2"}]},{"events":[{"introduced":"0"},{"last_affected":"3.9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.3"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.14.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.14.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0.0.6.0"}]},{"events":[{"introduced":"0"},{"last_affected":"6.2"}]},{"events":[{"introduced":"0"},{"last_affected":"3.0.2.2.0"}]},{"events":[{"introduced":"7.4.0"},{"last_affected":"7.4.2"}]},{"events":[{"introduced":"0"},{"last_affected":"7.3.5"}]},{"events":[{"introduced":"8.0.0"},{"last_affected":"8.1.0"}]},{"events":[{"introduced":"8.2.0"},{"last_affected":"8.2.3"}]},{"events":[{"introduced":"0"},{"last_affected":"6.3"}]},{"events":[{"introduced":"0"},{"last_affected":"6.4"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"7.3"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4"}]},{"events":[{"introduced":"0"},{"last_affected":"12.5.0.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0.0.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0.0.5.0"}]},{"events":[{"introduced":"0"},{"last_affected":"6.2"}]},{"events":[{"introduced":"0"},{"last_affected":"3.3"}]},{"events":[{"introduced":"0"},{"last_affected":"8.4"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"8.0.7"},{"last_affected":"8.1.1"}]},{"events":[{"introduced":"8.0.8"},{"last_affected":"8.1.1"}]},{"events":[{"introduced":"11.6.0"},{"last_affected":"11.8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"5.2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"2.5.2.1"}]},{"events":[{"introduced":"0"},{"last_affected":"3.0.0.0"}]},{"events":[{"introduced":"3.0.1"},{"last_affected":"3.0.4"}]},{"events":[{"introduced":"0"},{"last_affected":"8.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.0.2"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.2.8"}]},{"events":[{"introduced":"0"},{"last_affected":"11.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.3.1"}]},{"events":[{"introduced":"0"},{"last_affected":"11.0.2"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.2.8"}]},{"events":[{"introduced":"0"},{"last_affected":"11.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.3.1"}]},{"events":[{"introduced":"0"},{"fixed":"2.12.42"}]},{"events":[{"introduced":"17.7"},{"last_affected":"17.12"}]},{"events":[{"introduced":"0"},{"last_affected":"18.8"}]},{"events":[{"introduced":"0"},{"last_affected":"19.12"}]},{"events":[{"introduced":"0"},{"last_affected":"20.12"}]},{"events":[{"introduced":"0"},{"last_affected":"21.12"}]},{"events":[{"introduced":"0"},{"last_affected":"13.4.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"13.5.1.0"}]},{"events":[{"introduced":"0"},{"fixed":"21.2"}]},{"events":[{"introduced":"0"},{"last_affected":"21.3"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.3"}]},{"events":[{"introduced":"16.0.1"},{"last_affected":"16.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"13.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.3.2"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0.3.1"}]},{"events":[{"introduced":"0"},{"last_affected":"19.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"19.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"19.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0"}]},{"events":[{"introduced":"0"},{"last_affected":"18.0"}]},{"events":[{"introduced":"0"},{"last_affected":"19.1"}]},{"events":[{"introduced":"0"},{"last_affected":"19.0.1"}]},{"events":[{"introduced":"16.0.1"},{"last_affected":"16.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.3.2"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0.3.1"}]},{"events":[{"introduced":"0"},{"last_affected":"19.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"19.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"17.0.4"}]},{"events":[{"introduced":"0"},{"last_affected":"18.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"19.0.2"}]},{"events":[{"introduced":"0"},{"last_affected":"20.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.0.1.1"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.0.2.2"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.0.3.1"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.1.3.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.1.0.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-29425.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}]}