Lukas Euler discovered a path traversal vulnerability in commons-io, a Java library for common useful IO related classes. When invoking the method FileNameUtils.normalize with an improper input string, like “//../foo”, or “\..\foo”, the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus “limited” path traversal), if the calling code would use the result to construct a path value.
For Debian 8 jessie, these problems have been fixed in version 2.4-2+deb8u1.
We recommend that you upgrade your commons-io packages.
Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/