rhsa-2025:10548
Vulnerability from csaf_redhat
Published
2025-07-08 00:50
Modified
2025-07-08 01:53
Summary
Red Hat Security Advisory: apache-commons-vfs security update
Notes
Topic
An update for apache-commons-vfs is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Commons VFS provides a single API for accessing various different file systems. It presents a uniform view of the files from various different sources, such as the files on local disk, on an HTTP server, or inside a Zip archive. Some of the features of Commons VFS are:
* A single consistent API for accessing files of different
types.
* Support for numerous file system types.
* Caching of file information. Caches information in-JVM,
and optionally can cache remote file information on the
local file system.
* Event delivery.
* Support for logical file systems made up of files from
various different file systems.
* Utilities for integrating Commons VFS into applications,
such as a VFS-aware ClassLoader and URLStreamHandlerFactory.
* A set of VFS-enabled Ant tasks.
Security Fix(es):
* apache-commons-vfs: Apache Commons VFS: Possible path traversal issue when using NameScope.DESCENDENT (CVE-2025-27553)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for apache-commons-vfs is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Commons VFS provides a single API for accessing various different file systems. It presents a uniform view of the files from various different sources, such as the files on local disk, on an HTTP server, or inside a Zip archive. Some of the features of Commons VFS are:\n* A single consistent API for accessing files of different\n types.\n* Support for numerous file system types.\n* Caching of file information. Caches information in-JVM,\n and optionally can cache remote file information on the\n local file system.\n* Event delivery.\n* Support for logical file systems made up of files from\n various different file systems.\n* Utilities for integrating Commons VFS into applications,\n such as a VFS-aware ClassLoader and URLStreamHandlerFactory.\n* A set of VFS-enabled Ant tasks.\n\nSecurity Fix(es):\n\n* apache-commons-vfs: Apache Commons VFS: Possible path traversal issue when using NameScope.DESCENDENT (CVE-2025-27553)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:10548",
"url": "https://access.redhat.com/errata/RHSA-2025:10548"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2354334",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2354334"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_10548.json"
}
],
"title": "Red Hat Security Advisory: apache-commons-vfs security update",
"tracking": {
"current_release_date": "2025-07-08T01:53:40+00:00",
"generator": {
"date": "2025-07-08T01:53:40+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.3"
}
},
"id": "RHSA-2025:10548",
"initial_release_date": "2025-07-08T00:50:43+00:00",
"revision_history": [
{
"date": "2025-07-08T00:50:43+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-07-08T00:50:43+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-07-08T01:53:40+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Server Optional (v. 7 ELS)",
"product": {
"name": "Red Hat Enterprise Linux Server Optional (v. 7 ELS)",
"product_id": "7Server-optional-ELS",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:rhel_els:7"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "apache-commons-vfs-0:2.0-11.el7_9.1.src",
"product": {
"name": "apache-commons-vfs-0:2.0-11.el7_9.1.src",
"product_id": "apache-commons-vfs-0:2.0-11.el7_9.1.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/apache-commons-vfs@2.0-11.el7_9.1?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "apache-commons-vfs-0:2.0-11.el7_9.1.noarch",
"product": {
"name": "apache-commons-vfs-0:2.0-11.el7_9.1.noarch",
"product_id": "apache-commons-vfs-0:2.0-11.el7_9.1.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/apache-commons-vfs@2.0-11.el7_9.1?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "apache-commons-vfs-ant-0:2.0-11.el7_9.1.noarch",
"product": {
"name": "apache-commons-vfs-ant-0:2.0-11.el7_9.1.noarch",
"product_id": "apache-commons-vfs-ant-0:2.0-11.el7_9.1.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/apache-commons-vfs-ant@2.0-11.el7_9.1?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "apache-commons-vfs-examples-0:2.0-11.el7_9.1.noarch",
"product": {
"name": "apache-commons-vfs-examples-0:2.0-11.el7_9.1.noarch",
"product_id": "apache-commons-vfs-examples-0:2.0-11.el7_9.1.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/apache-commons-vfs-examples@2.0-11.el7_9.1?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "apache-commons-vfs-javadoc-0:2.0-11.el7_9.1.noarch",
"product": {
"name": "apache-commons-vfs-javadoc-0:2.0-11.el7_9.1.noarch",
"product_id": "apache-commons-vfs-javadoc-0:2.0-11.el7_9.1.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/apache-commons-vfs-javadoc@2.0-11.el7_9.1?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-vfs-0:2.0-11.el7_9.1.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7 ELS)",
"product_id": "7Server-optional-ELS:apache-commons-vfs-0:2.0-11.el7_9.1.noarch"
},
"product_reference": "apache-commons-vfs-0:2.0-11.el7_9.1.noarch",
"relates_to_product_reference": "7Server-optional-ELS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-vfs-0:2.0-11.el7_9.1.src as a component of Red Hat Enterprise Linux Server Optional (v. 7 ELS)",
"product_id": "7Server-optional-ELS:apache-commons-vfs-0:2.0-11.el7_9.1.src"
},
"product_reference": "apache-commons-vfs-0:2.0-11.el7_9.1.src",
"relates_to_product_reference": "7Server-optional-ELS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-vfs-ant-0:2.0-11.el7_9.1.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7 ELS)",
"product_id": "7Server-optional-ELS:apache-commons-vfs-ant-0:2.0-11.el7_9.1.noarch"
},
"product_reference": "apache-commons-vfs-ant-0:2.0-11.el7_9.1.noarch",
"relates_to_product_reference": "7Server-optional-ELS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-vfs-examples-0:2.0-11.el7_9.1.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7 ELS)",
"product_id": "7Server-optional-ELS:apache-commons-vfs-examples-0:2.0-11.el7_9.1.noarch"
},
"product_reference": "apache-commons-vfs-examples-0:2.0-11.el7_9.1.noarch",
"relates_to_product_reference": "7Server-optional-ELS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-vfs-javadoc-0:2.0-11.el7_9.1.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7 ELS)",
"product_id": "7Server-optional-ELS:apache-commons-vfs-javadoc-0:2.0-11.el7_9.1.noarch"
},
"product_reference": "apache-commons-vfs-javadoc-0:2.0-11.el7_9.1.noarch",
"relates_to_product_reference": "7Server-optional-ELS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-27553",
"cwe": {
"id": "CWE-23",
"name": "Relative Path Traversal"
},
"discovery_date": "2025-03-23T15:00:53.595449+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2354334"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Apache Commons VFS. The FileObject API in Commons VFS has a \u0027resolveFile\u0027 method that takes a \u0027scope\u0027 parameter. Specifying \u0027NameScope.DESCENDENT\u0027 promises that \"an exception is thrown if the resolved file is not a descendent of the base file\". However, when the path contains encoded \"..\" characters, such as \"%2E%2Ebar.txt\", it might return file objects that are not a descendent of the base file without throwing an exception.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-commons-vfs: Apache Commons VFS: Possible path traversal issue when using NameScope.DESCENDENT",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-optional-ELS:apache-commons-vfs-0:2.0-11.el7_9.1.noarch",
"7Server-optional-ELS:apache-commons-vfs-0:2.0-11.el7_9.1.src",
"7Server-optional-ELS:apache-commons-vfs-ant-0:2.0-11.el7_9.1.noarch",
"7Server-optional-ELS:apache-commons-vfs-examples-0:2.0-11.el7_9.1.noarch",
"7Server-optional-ELS:apache-commons-vfs-javadoc-0:2.0-11.el7_9.1.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-27553"
},
{
"category": "external",
"summary": "RHBZ#2354334",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2354334"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-27553",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27553"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-27553",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27553"
},
{
"category": "external",
"summary": "https://lists.apache.org/thread/cnzqowyw9r2pl263cylmxhnvh41hyjcb",
"url": "https://lists.apache.org/thread/cnzqowyw9r2pl263cylmxhnvh41hyjcb"
}
],
"release_date": "2025-03-23T14:16:20.363000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-07-08T00:50:43+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-optional-ELS:apache-commons-vfs-0:2.0-11.el7_9.1.noarch",
"7Server-optional-ELS:apache-commons-vfs-0:2.0-11.el7_9.1.src",
"7Server-optional-ELS:apache-commons-vfs-ant-0:2.0-11.el7_9.1.noarch",
"7Server-optional-ELS:apache-commons-vfs-examples-0:2.0-11.el7_9.1.noarch",
"7Server-optional-ELS:apache-commons-vfs-javadoc-0:2.0-11.el7_9.1.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:10548"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"7Server-optional-ELS:apache-commons-vfs-0:2.0-11.el7_9.1.noarch",
"7Server-optional-ELS:apache-commons-vfs-0:2.0-11.el7_9.1.src",
"7Server-optional-ELS:apache-commons-vfs-ant-0:2.0-11.el7_9.1.noarch",
"7Server-optional-ELS:apache-commons-vfs-examples-0:2.0-11.el7_9.1.noarch",
"7Server-optional-ELS:apache-commons-vfs-javadoc-0:2.0-11.el7_9.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "apache-commons-vfs: Apache Commons VFS: Possible path traversal issue when using NameScope.DESCENDENT"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…