Relative Path Traversal vulnerability in Apache Commons VFS before 2.10.0.

The FileObject API in Commons VFS has a 'resolveFile' method that
takes a 'scope' parameter. Specifying 'NameScope.DESCENDENT' promises that "an exception is thrown if the resolved file is not a descendent of
the base file". However, when the path contains encoded ".."
characters (for example, "%2E%2E/bar.txt"), it might return file objects that are not
a descendent of the base file, without throwing an exception.
This issue affects Apache Commons VFS: before 2.10.0.

Users are recommended to upgrade to version 2.10.0, which fixes the issue.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Tue, 08 Jul 2025 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat rhel Els
CPEs cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat
Redhat rhel Els

Sat, 21 Jun 2025 02:45:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Wed, 02 Apr 2025 22:45:00 +0000

Type Values Removed Values Added
References

Wed, 26 Mar 2025 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache commons Vfs
CPEs cpe:2.3:a:apache:commons_vfs:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache commons Vfs

Mon, 24 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 24 Mar 2025 14:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}


Sun, 23 Mar 2025 19:45:00 +0000

Type Values Removed Values Added
References

Sun, 23 Mar 2025 14:30:00 +0000

Type Values Removed Values Added
Description Relative Path Traversal vulnerability in Apache Commons VFS before 2.10.0. The FileObject API in Commons VFS has a 'resolveFile' method that takes a 'scope' parameter. Specifying 'NameScope.DESCENDENT' promises that "an exception is thrown if the resolved file is not a descendent of the base file". However, when the path contains encoded ".." characters (for example, "%2E%2E/bar.txt"), it might return file objects that are not a descendent of the base file, without throwing an exception. This issue affects Apache Commons VFS: before 2.10.0. Users are recommended to upgrade to version 2.10.0, which fixes the issue.
Title Apache Commons VFS: Possible path traversal issue when using NameScope.DESCENDENT
Weaknesses CWE-23
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2025-04-02T22:03:21.278Z

Reserved: 2025-03-01T03:19:06.648Z

Link: CVE-2025-27553

cve-icon Vulnrichment

Updated: 2025-04-02T22:03:21.278Z

cve-icon NVD

Status : Modified

Published: 2025-03-23T15:15:13.377

Modified: 2025-04-02T22:15:19.203

Link: CVE-2025-27553

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-03-23T14:16:20Z

Links: CVE-2025-27553 - Bugzilla

cve-icon OpenCVE Enrichment

No data.