{"schema_version":"1.7.2","id":"OESA-2025-1357","modified":"2025-04-03T12:53:41Z","published":"2025-04-03T12:53:41Z","upstream":["CVE-2025-27553","CVE-2025-30474"],"summary":"apache-commons-vfs security update","details":"Commons VFS provides a uniform view of files through a single API which is designed for accessing various different file systems. These file systems could be a local disk, an HTTP server or a ZIP archive file. The key features are listed as follows: * The API is consistent among various file types. * Support for a wide range of file systems. * Support caching local file system with different fs types. * Event delivery. * Provides in-JVM info caching. * A set of Ant tasks which VFS is enabled. * Easy to be intergrated into applications such as VFS-aware ClassLoader and URLStreamHandlerFactory.\r\n\r\nSecurity Fix(es):\n\nRelative Path Traversal vulnerability in Apache Commons VFS before 2.10.0.\n\nThe FileObject API in Commons VFS has a \u0026apos;resolveFile\u0026apos; method that\ntakes a \u0026apos;scope\u0026apos; parameter. Specifying \u0026apos;NameScope.DESCENDENT\u0026apos; promises that \u0026quot;an exception is thrown if the resolved file is not a descendent of\nthe base file\u0026quot;. However, when the path contains encoded \u0026quot;..\u0026quot;\ncharacters (for example, \u0026quot;%2E%2E/bar.txt\u0026quot;), it might return file objects that are not\na descendent of the base file, without throwing an exception.\nThis issue affects Apache Commons VFS: before 2.10.0.\n\nUsers are recommended to upgrade to version 2.10.0, which fixes the issue.(CVE-2025-27553)\n\nExposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Commons VFS.\n\nThe FtpFileObject class can throw an exception when a file is not found, revealing the original URI in its message, which may include a password. The fix is to mask the password in the exception message\nThis issue affects Apache Commons VFS: before 2.10.0.\n\nUsers are recommended to upgrade to version 2.10.0, which fixes the issue.(CVE-2025-30474)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS","name":"apache-commons-vfs","purl":"pkg:rpm/openEuler/apache-commons-vfs\u0026distro=openEuler-24.03-LTS"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.10.0-1.oe2403"}]}],"ecosystem_specific":{"noarch":["apache-commons-vfs-2.10.0-1.oe2403.noarch.rpm","apache-commons-vfs-devel-2.10.0-1.oe2403.noarch.rpm","apache-commons-vfs-help-2.10.0-1.oe2403.noarch.rpm"],"src":["apache-commons-vfs-2.10.0-1.oe2403.src.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1357"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27553"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-30474"}],"database_specific":{"severity":"High"}}