{"id":"OESA-2025-1357","summary":"apache-commons-vfs security update","details":"Commons VFS provides a uniform view of files through a single API which is designed for accessing various different file systems. These file systems could be a local disk, an HTTP server or a ZIP archive file. The key features are listed as follows: * The API is consistent among various file types. * Support for a wide range of file systems. * Support caching local file system with different fs types. * Event delivery. * Provides in-JVM info caching. * A set of Ant tasks which VFS is enabled. * Easy to be intergrated into applications such as VFS-aware ClassLoader and URLStreamHandlerFactory.\r\n\r\nSecurity Fix(es):\n\nRelative Path Traversal vulnerability in Apache Commons VFS before 2.10.0.\n\nThe FileObject API in Commons VFS has a 'resolveFile' method that\ntakes a 'scope' parameter. Specifying 'NameScope.DESCENDENT' promises that "an exception is thrown if the resolved file is not a descendent of\nthe base file". However, when the path contains encoded ".."\ncharacters (for example, "%2E%2E/bar.txt"), it might return file objects that are not\na descendent of the base file, without throwing an exception.\nThis issue affects Apache Commons VFS: before 2.10.0.\n\nUsers are recommended to upgrade to version 2.10.0, which fixes the issue.(CVE-2025-27553)\n\nExposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Commons VFS.\n\nThe FtpFileObject class can throw an exception when a file is not found, revealing the original URI in its message, which may include a password. The fix is to mask the password in the exception message\nThis issue affects Apache Commons VFS: before 2.10.0.\n\nUsers are recommended to upgrade to version 2.10.0, which fixes the issue.(CVE-2025-30474)","modified":"2025-09-03T06:31:23.289205Z","published":"2025-04-03T12:53:41Z","upstream":["CVE-2025-27553","CVE-2025-30474"],"database_specific":{"severity":"High"},"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1357"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27553"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-30474"}],"affected":[{"package":{"name":"apache-commons-vfs","ecosystem":"openEuler:24.03-LTS","purl":"pkg:rpm/openEuler/apache-commons-vfs&distro=openEuler-24.03-LTS"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.10.0-1.oe2403"}]}],"ecosystem_specific":{"noarch":["apache-commons-vfs-2.10.0-1.oe2403.noarch.rpm","apache-commons-vfs-devel-2.10.0-1.oe2403.noarch.rpm","apache-commons-vfs-help-2.10.0-1.oe2403.noarch.rpm"],"src":["apache-commons-vfs-2.10.0-1.oe2403.src.rpm"]},"database_specific":{"source":"https://repo.openeuler.org/security/data/osv/OESA-2025-1357.json"}}],"schema_version":"1.7.3"}