Skip to content
This repository has been archived by the owner on Nov 29, 2022. It is now read-only.

Update Venocity for CVE-2021-29425 Mitigation #513

Open
jasonparallel opened this issue Apr 20, 2021 · 0 comments
Open

Update Venocity for CVE-2021-29425 Mitigation #513

jasonparallel opened this issue Apr 20, 2021 · 0 comments

Comments

@jasonparallel
Copy link

The current version of Venocity uses the shade plugin to copy commons-io:commons-io:2.5 into it's jar (in it's namespace).

CVE-2021-29425
"In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value."

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Development

No branches or pull requests

1 participant