BUG - External Control of File Name or Path - JarVisitorFactory.java

Description

We are currently using hibernateentitymanager-3.6.8.Final.jar and the veracode analysis found this bug in JarVisitorFactory.java in lines (68, 79, 82, 140, 169 and 172):

Description:

This call contains a path manipulation flaw. The argument to the function is a filename constructed using user-supplied
input. If an attacker is allowed to specify all or part of the filename, it may be possible to gain unauthorized access to
files on the server, including those outside the webroot, that would be normally be inaccessible to end users. The level
of exposure depends on the effectiveness of input validation routines, if any.

is this a false positive?

Thanks.

Environment

None

Assignee

Unassigned

Reporter

David Camilo Espitia Manrique

Fix versions

None

Labels

backPortable

None

Suitable for new contributors

Yes, likely

Requires Release Note

None

Pull Request

None

backportDecision

None

Components

Affects versions

Priority

Major
Configure