In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
AI analysis not yet available
Plain-English explanation, risk summary, and remediation steps will appear here once AI analysis is complete.
No Fix Known
No patch has been released yet. Apply workarounds or mitigations where available.
| Vendor | Product | Versions | Fixed In |
|---|---|---|---|
| apache | commons_io | - | - |
| apache | commons_io | - | - |
| apache | commons_io | - |
Published
CVE disclosed publicly
Last Modified
Most recent update
Indexed to CVEInsight
Added to this platform
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
136
Affected Products
94
References
apache / commons_io
| - |
| apache | commons_io | - | - |
| apache | commons_io | - | - |
| debian | debian_linux | - | - |
| oracle | access_manager | - | - |
| oracle | access_manager | - | - |
| oracle | access_manager | - | - |
| oracle | agile_engineering_data_management | - | - |
| oracle | agile_plm | - | - |
| oracle | application_performance_management | - | - |
| oracle | application_performance_management | - | - |
| oracle | application_testing_suite | - | - |
| oracle | banking_apis | - | - |
| oracle | banking_apis | - | - |
| oracle | banking_apis | - | - |
| oracle | banking_apis | - | - |
| oracle | banking_apis | - | - |
| oracle | banking_apis | - | - |
| oracle | banking_apis | - | - |
| oracle | banking_digital_experience | - | - |
| oracle | banking_digital_experience | - | - |
| oracle | banking_digital_experience | - | - |
| oracle | banking_digital_experience | - | - |
| oracle | banking_digital_experience | - | - |
| oracle | banking_digital_experience | - | - |
| oracle | banking_digital_experience | - | - |
| oracle | banking_enterprise_default_management | - | - |
| oracle | banking_enterprise_default_management | - | - |
| oracle | banking_enterprise_default_management | - | - |
| oracle | banking_enterprise_default_management | - | - |
| oracle | banking_enterprise_default_management | - | - |
| oracle | banking_enterprise_default_managment | 2.3.0 - 2.4.0 | - |
| oracle | banking_party_management | - | - |
| oracle | banking_platform | 2.3.0 - 2.4.1 | - |
| oracle | banking_platform | - | - |
| oracle | banking_platform | - | - |
| oracle | banking_platform | - | - |
| oracle | blockchain_platform | 21.1.2 | - |
| oracle | commerce_guided_search | - | - |
| oracle | communications_application_session_controller | - | - |
| oracle | communications_billing_and_revenue_management_elastic_charging_engine | - | - |
| oracle | communications_billing_and_revenue_management_elastic_charging_engine | - | - |
| oracle | communications_cloud_native_core_network_repository_function | - | - |
| oracle | communications_cloud_native_core_policy | - | - |
| oracle | communications_cloud_native_core_unified_data_repository | - | - |
| oracle | communications_contacts_server | - | - |
| oracle | communications_converged_application_server_-_service_controller | - | - |
| oracle | communications_convergence | - | - |
| oracle | communications_design_studio | 7.4.0 - 7.4.2 | - |
| oracle | communications_design_studio | - | - |
| oracle | communications_diameter_intelligence_hub | 8.0.0 - 8.1.0 | - |
| oracle | communications_diameter_intelligence_hub | 8.2.0 - 8.2.3 | - |
| oracle | communications_interactive_session_recorder | - | - |
| oracle | communications_interactive_session_recorder | - | - |
| oracle | communications_offline_mediation_controller | - | - |
| oracle | communications_order_and_service_management | - | - |
| oracle | communications_order_and_service_management | - | - |
| oracle | communications_policy_management | - | - |
| oracle | communications_pricing_design_center | - | - |
| oracle | communications_pricing_design_center | - | - |
| oracle | communications_service_broker | - | - |
| oracle | enterprise_communications_broker | - | - |
| oracle | enterprise_session_border_controller | - | - |
| oracle | enterprise_session_border_controller | - | - |
| oracle | financial_services_analytical_applications_infrastructure | 8.0.7 - 8.1.1 | - |
| oracle | financial_services_model_management_and_governance | 8.0.8 - 8.1.1 | - |
| oracle | flexcube_core_banking | 11.6.0 - 11.8.0 | - |
| oracle | flexcube_core_banking | - | - |
| oracle | flexcube_core_banking | - | - |
| oracle | fusion_middleware_mapviewer | - | - |
| oracle | health_sciences_data_management_workbench | - | - |
| oracle | health_sciences_data_management_workbench | - | - |
| oracle | health_sciences_information_manager | 3.0.1 - 3.0.4 | - |
| oracle | healthcare_data_repository | - | - |
| oracle | helidon | - | - |
| oracle | helidon | - | - |
| oracle | insurance_policy_administration | - | - |
| oracle | insurance_policy_administration | - | - |
| oracle | insurance_policy_administration | - | - |
| oracle | insurance_policy_administration | - | - |
| oracle | insurance_policy_administration | - | - |
| oracle | insurance_rules_palette | - | - |
| oracle | insurance_rules_palette | - | - |
| oracle | insurance_rules_palette | - | - |
| oracle | insurance_rules_palette | - | - |
| oracle | insurance_rules_palette | - | - |
| oracle | oss_support_tools | 2.12.42 | - |
| oracle | primavera_unifier | 17.7 - 17.12 | - |
| oracle | primavera_unifier | - | - |
| oracle | primavera_unifier | - | - |
| oracle | primavera_unifier | - | - |
| oracle | primavera_unifier | - | - |
| oracle | real_user_experience_insight | - | - |
| oracle | real_user_experience_insight | - | - |
| oracle | rest_data_services | 21.2 | - |
| oracle | rest_data_services | - | - |
| oracle | retail_assortment_planning | - | - |
| oracle | retail_integration_bus | 16.0.1 - 16.0.3 | - |
| oracle | retail_integration_bus | - | - |
| oracle | retail_integration_bus | - | - |
| oracle | retail_integration_bus | - | - |
| oracle | retail_integration_bus | - | - |
| oracle | retail_integration_bus | - | - |
| oracle | retail_integration_bus | - | - |
| oracle | retail_merchandising_system | - | - |
| oracle | retail_merchandising_system | - | - |
| oracle | retail_order_broker | - | - |
| oracle | retail_order_broker | - | - |
| oracle | retail_order_broker | - | - |
| oracle | retail_pricing | - | - |
| oracle | retail_service_backbone | 16.0.1 - 16.0.3 | - |
| oracle | retail_service_backbone | - | - |
| oracle | retail_service_backbone | - | - |
| oracle | retail_service_backbone | - | - |
| oracle | retail_service_backbone | - | - |
| oracle | retail_service_backbone | - | - |
| oracle | retail_size_profile_optimization | - | - |
| oracle | retail_xstore_point_of_service | - | - |
| oracle | retail_xstore_point_of_service | - | - |
| oracle | retail_xstore_point_of_service | - | - |
| oracle | retail_xstore_point_of_service | - | - |
| oracle | solaris_cluster | - | - |
| oracle | utilities_testing_accelerator | - | - |
| oracle | utilities_testing_accelerator | - | - |
| oracle | utilities_testing_accelerator | - | - |
| oracle | webcenter_portal | - | - |
| oracle | webcenter_portal | - | - |
| oracle | weblogic_server | - | - |
| oracle | weblogic_server | - | - |
| oracle | weblogic_server | - | - |
| oracle | weblogic_server | - | - |
| netapp | active_iq_unified_manager | - | - |
| netapp | active_iq_unified_manager | - | - |
| netapp | active_iq_unified_manager | - | - |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Exploitability
Impact