[jira] [Comment Edited] (CODEC-318) Possible path traversal vulnerability in the Digest class CLI

Tue, 21 Jan 2025 05:07:05 -0800 


    [ 
https://issues.apache.org/jira/browse/CODEC-318?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17823216#comment-17823216
 ] 

Gary D. Gregory edited comment on CODEC-318 at 1/21/25 1:06 PM:
----------------------------------------------------------------

[~arthur.chan] 

Our security model does not cover input that is either trusted or 
validated/sanitized by the application using the library, please see 
https://commons.apache.org/security.html

Aside from that, if you want to report a vulnerability, you must follow 
[https://commons.apache.org/security.html]

TY

 


was (Author: garydgregory):
[~arthur.chan] 

If you want to report a vulnerability, you must follow 
[https://commons.apache.org/security.html]

TY

 

> Possible path traversal vulnerability in the Digest class CLI
> -------------------------------------------------------------
>
>                 Key: CODEC-318
>                 URL: https://issues.apache.org/jira/browse/CODEC-318
>             Project: Commons Codec
>          Issue Type: Improvement
>            Reporter: Sheung Chi Chan
>            Priority: Trivial
>
> The {{Digest}} class in the {{cli}} package provides a CLI for calculating a 
> message digest with the support of {{DigestUtils}} class. The CLI takes in a 
> list of arguments from the users and stores them, assuming all the arguments 
> are local file paths for message digestion calculation. These file paths are 
> stored as object variables and are processed one by one in the run method. 
> The run method opens each of the file paths, reads the content and calculates 
> message digests using the {{DigestUtils}} class. All file paths are never 
> checked nor sanitized and are directly passed and controlled by the CLI 
> users. This opens up vulnerability for path traversal attacks because the 
> user of the CLI has full control of the path string. Considering that Apache 
> Commons Codec is meant to be used as a library by a general developer, the 
> existence of a vulnerable CLI in the library could open up the path traversal 
> vulnerability to an attacker on any application adopting the libraries and 
> gain illegal access in the execution environment.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to