Uploaded image for project: 'mod-inventory'
  1. mod-inventory
  2. MODINV-440

commons-io 2.4 (CVE-2021-29425)

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • TBD
    • Resolution: Done
    • None
    • 17.0.1
    • Other dev

    Description

      mod-inventory uses commons-io:commons-io:2.4.

      commons-io before 2.7 has this security issue:
      limited path traversal vulnerability in FileNameUtils.normalize: https://nvd.nist.gov/vuln/detail/CVE-2021-29425

      However, mod-inventory doesn't use FileNameUtils.normalize.
      It uses only these methods from commons-io:

      • FileUtils.readFileToByteArray
      • IOUtils.toInputStream

      The own code of mod-inventory is not affected by this issue.

      But its dependencies are:

      mvn dependency:tree -Dincludes=commons-io -Dverbose
org.folio:mod-inventory:jar:17.1.0-SNAPSHOT
+- commons-io:commons-io:jar:2.4:compile
+- com.github.jsonld-java:jsonld-java:jar:0.9.0:test
|  \- (commons-io:commons-io:jar:2.5:test - omitted for conflict with 2.4)
+- com.github.tomakehurst:wiremock:jar:2.25.1:test
|  \- commons-fileupload:commons-fileupload:jar:1.4:test
|     \- (commons-io:commons-io:jar:2.2:test - omitted for conflict with 2.4)
+- org.folio:mod-source-record-storage-client:jar:5.1.0:compile
|  +- org.folio:domain-models-runtime:jar:32.1.0:compile
|  |  \- (commons-io:commons-io:jar:2.6:compile - omitted for conflict with 2.4)
|  \- org.folio:domain-models-api-interfaces:jar:32.1.0:compile
|     \- org.folio:domain-models-interface-extensions:jar:32.1.0:compile
|        \- org.raml.jaxrs:jaxrs-code-generator:jar:3.0.7:compile
|           +- org.raml:raml-parser-2:jar:1.0.28:compile
|           |  \- org.raml:yagi:jar:1.0.28:compile
|           |     \- (commons-io:commons-io:jar:2.4:compile - omitted for duplicate)
|           \- org.jsonschema2pojo:jsonschema2pojo-core:jar:0.5.1:compile
|              +- org.jsonschema2pojo:jsonschema2pojo-scalagen:jar:0.5.1:compile
|              |  \- (commons-io:commons-io:jar:1.3.2:compile - omitted for conflict with 2.4)
|              \- (commons-io:commons-io:jar:2.4:compile - omitted for duplicate)
\- org.folio:data-import-processing-core:jar:3.1.0:compile
   \- (commons-io:commons-io:jar:2.9.0:compile - omitted for conflict with 2.4)

      Solution:

      Bump the commons-io version from 2.4 to >= 2.7.

      TestRail: Results

        Attachments

          Issue Links

            relates to

            Tech Debt - MODINV-441 Remove commons-io dependency

            • P3 - low priority level, item will be considered for inclusion in the next dev cycle
            • Closed

            Activity

              People

                Unassigned Unassigned
                julianladisch Julian Ladisch
                Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  TestRail: Runs

                    TestRail: Cases