Source: commons-vfs
Version: 2.1-4
Severity: important
Tags: security upstream
X-Debbugs-Cc:
carnil@debian.org, Debian Security Team <
team@security.debian.org>
Hi,
The following vulnerabilities were published for commons-vfs.
CVE-2025-27553[0]:
| Relative Path Traversal vulnerability in Apache Commons VFS before
| 2.10.0. The FileObject API in Commons VFS has a 'resolveFile'
| method that takes a 'scope' parameter. Specifying
| 'NameScope.DESCENDENT' promises that "an exception is thrown if the
| resolved file is not a descendent of the base file". However, when
| the path contains encoded ".." characters (for example,
| "%2E%2E/bar.txt"), it might return file objects that are not a
| descendent of the base file, without throwing an exception. This
| issue affects Apache Commons VFS: before 2.10.0. Users are
| recommended to upgrade to version 2.10.0, which fixes the issue.
CVE-2025-30474[1]:
| Exposure of Sensitive Information to an Unauthorized Actor
| vulnerability in Apache Commons VFS. The FtpFileObject class can
| throw an exception when a file is not found, revealing the original
| URI in its message, which may include a password. The fix is to mask
| the password in the exception message This issue affects Apache
| Commons VFS: before 2.10.0. Users are recommended to upgrade to
| version 2.10.0, which fixes the issue.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0]
https://security-tracker.debian.org/tracker/CVE-2025-27553
https://www.cve.org/CVERecord?id=CVE-2025-27553
[1]
https://security-tracker.debian.org/tracker/CVE-2025-30474
https://www.cve.org/CVERecord?id=CVE-2025-30474
Regards,
Salvatore
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)