Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN165

_____________________________________________________________________

DATE                : 24/03/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Commons VFS versions prior
                                     to 2.10.0.

=====================================================================
https://lists.apache.org/thread/6ldr41qyd88971tm00kh1f51cfcg6xh2
https://lists.apache.org/thread/mztyl0fq5zk72wgw1dkj6dt27qhwqooy
_____________________________________________________________________

CVE-2025-27553: Apache Commons VFS: Possible path traversal issue
when using NameScope.DESCENDENT


Severity: low

Affected versions:

- Apache Commons VFS before 2.10.0

Description:

Relative Path Traversal vulnerability in Apache Commons VFS before
2.10.0.

The FileObject API in Commons VFS has a 'resolveFile' method that
takes a 'scope' parameter. Specifying 'NameScope.DESCENDENT'
promises that "an exception is thrown if the resolved file is not
a descendent of the base file". However, when the path contains
encoded ".." characters (for example, "%2E%2E/bar.txt"), it might
return file objects that are not a descendent of the base file,
without throwing an exception.
This issue affects Apache Commons VFS: before 2.10.0.

Users are recommended to upgrade to version 2.10.0, which fixes
the issue.


Credit:

Arnout Engelen (finder)


References:

https://commons.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-27553

_____________________________________________________________________

CVE-2025-30474: Apache Commons VFS: Failing to find an FTP file can
reveal the URI's password in an error message

Severity: moderate

Affected versions:

- Apache Commons VFS before 2.10.0

Description:

Exposure of Sensitive Information to an Unauthorized Actor
vulnerability in Apache Commons VFS.

The FtpFileObject class can throw an exception when a file is not
found, revealing the original URI in its message, which may include
a password. The fix is to mask the password in the exception message
This issue affects Apache Commons VFS: before 2.10.0.

Users are recommended to upgrade to version 2.10.0, which fixes the
issue.

This issue is being tracked as VFS-169 


Credit:

Marek Šunda (finder)


References:

https://issues.apache.org/jira/browse/VFS-169
https://commons.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-30474
https://issues.apache.org/jira/browse/VFS-169



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================