DEBIAN-CVE-2025-27553
- Source
- https://security-tracker.debian.org/tracker/DEBIAN-CVE-2025-27553
- Import Source
- https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-27553.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2025-27553
- Upstream
- Published
- 2025-03-23T15:15:13Z
- Modified
- 2025-09-19T07:34:31.956574Z
- Summary
- [none]
- Details
-
Relative Path Traversal vulnerability in Apache Commons VFS before 2.10.0. The FileObject API in Commons VFS has a 'resolveFile' method that takes a 'scope' parameter. Specifying 'NameScope.DESCENDENT' promises that "an exception is thrown if the resolved file is not a descendent of the base file". However, when the path contains encoded ".." characters (for example, "%2E%2E/bar.txt"), it might return file objects that are not a descendent of the base file, without throwing an exception. This issue affects Apache Commons VFS: before 2.10.0. Users are recommended to upgrade to version 2.10.0, which fixes the issue.
- References
Affected packages
Debian:11 / commons-vfs
Package
- Name
- commons-vfs
- Purl
- pkg:deb/debian/commons-vfs?arch=source
Debian:12 / commons-vfs
Package
- Name
- commons-vfs
- Purl
- pkg:deb/debian/commons-vfs?arch=source
Debian:13 / commons-vfs
Package
- Name
- commons-vfs
- Purl
- pkg:deb/debian/commons-vfs?arch=source
Debian:14 / commons-vfs
Package
- Name
- commons-vfs
- Purl
- pkg:deb/debian/commons-vfs?arch=source