{"id":"OESA-2025-1940","summary":"apache-commons-vfs security update","details":"Commons VFS provides a uniform view of files through a single API which is designed for accessing various different file systems. These file systems could be a local disk, an HTTP server or a ZIP archive file. The key features are listed as follows: * The API is consistent among various file types. * Support for a wide range of file systems. * Support caching local file system with different fs types. * Event delivery. * Provides in-JVM info caching. * A set of Ant tasks which VFS is enabled. * Easy to be intergrated into applications such as VFS-aware ClassLoader and URLStreamHandlerFactory.\r\n\r\nSecurity Fix(es):\n\nRelative Path Traversal vulnerability in Apache Commons VFS before 2.10.0.\n\nThe FileObject API in Commons VFS has a 'resolveFile' method that\ntakes a 'scope' parameter. Specifying 'NameScope.DESCENDENT' promises that "an exception is thrown if the resolved file is not a descendent of\nthe base file". However, when the path contains encoded ".."\ncharacters (for example, "%2E%2E/bar.txt"), it might return file objects that are not\na descendent of the base file, without throwing an exception.\nThis issue affects Apache Commons VFS: before 2.10.0.\n\nUsers are recommended to upgrade to version 2.10.0, which fixes the issue.(CVE-2025-27553)","modified":"2025-09-03T06:31:23.352203Z","published":"2025-08-01T13:03:35Z","upstream":["CVE-2025-27553"],"database_specific":{"severity":"High"},"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1940"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27553"}],"affected":[{"package":{"name":"apache-commons-vfs","ecosystem":"openEuler:22.03-LTS-SP4","purl":"pkg:rpm/openEuler/apache-commons-vfs&distro=openEuler-22.03-LTS-SP4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.1-16.oe2203sp4"}]}],"ecosystem_specific":{"src":["apache-commons-vfs-2.1-16.oe2203sp4.src.rpm"],"noarch":["apache-commons-vfs-2.1-16.oe2203sp4.noarch.rpm","apache-commons-vfs-devel-2.1-16.oe2203sp4.noarch.rpm","apache-commons-vfs-help-2.1-16.oe2203sp4.noarch.rpm"]},"database_specific":{"source":"https://repo.openeuler.org/security/data/osv/OESA-2025-1940.json"}}],"schema_version":"1.7.3"}