openEuler-SA-2025-1942

Synopsis:

apache-commons-vfs security updateSummary:

An update for apache-commons-vfs is now available for openEuler-22.03-LTS-SP3Description:

Commons VFS provides a uniform view of files through a single API which is designed for accessing various different file systems. These file systems could be a local disk, an HTTP server or a ZIP archive file. The key features are listed as follows: * The API is consistent among various file types. * Support for a wide range of file systems. * Support caching local file system with different fs types. * Event delivery. * Provides in-JVM info caching. * A set of Ant tasks which VFS is enabled. * Easy to be intergrated into applications such as VFS-aware ClassLoader and URLStreamHandlerFactory.

Security Fix(es):

Relative Path Traversal vulnerability in Apache Commons VFS before 2.10.0.

The FileObject API in Commons VFS has a 'resolveFile' method that takes a 'scope' parameter. Specifying 'NameScope.DESCENDENT' promises that "an exception is thrown if the resolved file is not a descendent of the base file". However, when the path contains encoded ".." characters (for example, "%2E%2E/bar.txt"), it might return file objects that are not a descendent of the base file, without throwing an exception. This issue affects Apache Commons VFS: before 2.10.0.

Users are recommended to upgrade to version 2.10.0, which fixes the issue.(CVE-2025-27553)Topic:

An update for apache-commons-vfs is now available for master/openEuler-20.03-LTS-SP4/openEuler-22.03-LTS-SP3/openEuler-22.03-LTS-SP4/openEuler-24.03-LTS/openEuler-24.03-LTS-Next/openEuler-24.03-LTS-SP1.

openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.Severity:

HighAffected Component:

apache-commons-vfs