vulnerability
Red Hat JBoss EAP: CVE-2021-29425: Improper Input Validation
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 6 | (AV:N/AC:M/Au:N/C:P/I:P/A:N) | Apr 12, 2021 | Sep 19, 2024 | Jul 2, 2025 |
Severity
6
CVSS
(AV:N/AC:M/Au:N/C:P/I:P/A:N)
Published
Apr 12, 2021
Added
Sep 19, 2024
Modified
Jul 2, 2025
Description
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
Solution
red-hat-jboss-eap-upgrade-latest
References
- CWE-20
- CWE-22
- CVE-2021-29425
- https://attackerkb.com/topics/CVE-2021-29425
- URL-https://access.redhat.com/security/cve/CVE-2021-29425
- URL-https://bugzilla.redhat.com/show_bug.cgi?id=1948752
- URL-https://access.redhat.com/errata/RHSA-2021:3466
- URL-https://access.redhat.com/errata/RHSA-2021:3467
- URL-https://access.redhat.com/errata/RHSA-2021:3468
- URL-https://access.redhat.com/errata/RHSA-2021:3471
- URL-https://access.redhat.com/errata/RHSA-2021:3656
- URL-https://access.redhat.com/errata/RHSA-2021:3658
- URL-https://access.redhat.com/errata/RHSA-2021:3660
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.