Bug#1101204: commons-vfs: CVE-2025-27553 CVE-2025-30474
Salvatore Bonaccorso
carnil at debian.org
Mon Mar 24 21:12:50 GMT 2025
Source: commons-vfs
Version: 2.1-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerabilities were published for commons-vfs.
CVE-2025-27553[0]:
| Relative Path Traversal vulnerability in Apache Commons VFS before
| 2.10.0. The FileObject API in Commons VFS has a 'resolveFile'
| method that takes a 'scope' parameter. Specifying
| 'NameScope.DESCENDENT' promises that "an exception is thrown if the
| resolved file is not a descendent of the base file". However, when
| the path contains encoded ".." characters (for example,
| "%2E%2E/bar.txt"), it might return file objects that are not a
| descendent of the base file, without throwing an exception. This
| issue affects Apache Commons VFS: before 2.10.0. Users are
| recommended to upgrade to version 2.10.0, which fixes the issue.
CVE-2025-30474[1]:
| Exposure of Sensitive Information to an Unauthorized Actor
| vulnerability in Apache Commons VFS. The FtpFileObject class can
| throw an exception when a file is not found, revealing the original
| URI in its message, which may include a password. The fix is to mask
| the password in the exception message This issue affects Apache
| Commons VFS: before 2.10.0. Users are recommended to upgrade to
| version 2.10.0, which fixes the issue.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-27553
https://www.cve.org/CVERecord?id=CVE-2025-27553
[1] https://security-tracker.debian.org/tracker/CVE-2025-30474
https://www.cve.org/CVERecord?id=CVE-2025-30474
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list