Amazon Linux 2 Security Advisory: ALAS2-2025-2842
Advisory Released Date: 2025-04-30
Advisory Updated Date: 2025-04-30
Relative Path Traversal vulnerability in Apache Commons VFS before 2.10.0.
The FileObject API in Commons VFS has a 'resolveFile' method that
takes a 'scope' parameter. Specifying 'NameScope.DESCENDENT' promises that "an exception is thrown if the resolved file is not a descendent of
the base file". However, when the path contains encoded ".."
characters (for example, "%2E%2E/bar.txt"), it might return file objects that are not
a descendent of the base file, without throwing an exception.
This issue affects Apache Commons VFS: before 2.10.0.
Users are recommended to upgrade to version 2.10.0, which fixes the issue. (CVE-2025-27553)
Affected Packages:
apache-commons-vfs
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update apache-commons-vfs to update your system.
noarch:
apache-commons-vfs-2.0-11.amzn2.0.2.noarch
apache-commons-vfs-ant-2.0-11.amzn2.0.2.noarch
apache-commons-vfs-examples-2.0-11.amzn2.0.2.noarch
apache-commons-vfs-javadoc-2.0-11.amzn2.0.2.noarch
src:
apache-commons-vfs-2.0-11.amzn2.0.2.src