Apache Commons VFS Relative Path Traversal Vulnerability

A relative path traversal vulnerability exists in Apache Commons VFS versions prior to 2.10.0. The issue arises in the FileObject API's 'resolveFile' method, which includes a 'scope' parameter. When 'NameScope.DESCENDENT' is specified, the method is expected to throw an exception if the resolved file is not a descendant of the base file. However, the vulnerability allows paths with encoded '..' characters to bypass this check, potentially returning file objects that are not descendants without raising an exception. This flaw could be exploited to access files and directories outside of a designated root folder.

Impact

Exploitation of this vulnerability could lead to unauthorized access to files and directories outside of the intended scope, potentially exposing sensitive information or allowing manipulation of critical files.

Remediation

Users are advised to upgrade to Apache Commons VFS version 2.10.0 or later, which addresses this vulnerability. For Debian 11 bullseye, the issue has been fixed in version 2.1-2+deb11u1.