Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWg0MzYtNDMyeC04ZnZ4
Apache Commons Compress vulnerable to denial of service due to infinite loop
A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package.
Permalink: https://github.com/advisories/GHSA-h436-432x-8fvxJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWg0MzYtNDMyeC04ZnZ4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 5 years ago
Updated: 9 months ago
CVSS Score: 5.5
CVSS vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
EPSS Percentage: 0.0013
EPSS Percentile: 0.48625
Identifiers: GHSA-h436-432x-8fvx, CVE-2018-1324
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-1324
- https://github.com/advisories/GHSA-h436-432x-8fvx
- https://lists.apache.org/thread.html/1c7b6df6d1c5c8583518a0afa017782924918e4d6acfaf23ed5b2089@%3Cdev.commons.apache.org%3E
- https://lists.apache.org/thread.html/b8ef29df0f1d55aa741170748352ae8e425c7b1d286b2f257711a2dd@%3Cdev.creadur.apache.org%3E
- https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r5532dc8d5456b5151e8c286801e2e5769f5c04118b29c3b5d13ea387@%3Cissues.beam.apache.org%3E
- https://arxiv.org/pdf/2306.05534.pdf
- https://github.com/jensdietrich/xshady-release/tree/main/CVE-2018-1324
- https://github.com/apache/commons-compress/commit/2a2f1dc48e22a34ddb72321a4db211da91aa933b
Blast Radius: 24.1
Affected Packages
maven:io.takari:commons-compress
Dependent packages: 1Dependent repositories: 0
Downloads:
Affected Version Ranges: = 1.12
No known fixed version
All affected versions:
maven:com.liferay:com.liferay.portal.tools.bundle.support
Dependent packages: 3Dependent repositories: 0
Downloads:
Affected Version Ranges: >= 3.2.7, < 3.7.4
Fixed in: 3.7.4
All affected versions: 3.2.7, 3.3.0, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.5.5, 3.5.6, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.7.2, 3.7.3
All unaffected versions: 1.0.0, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.7.4, 3.7.5, 3.7.6
maven:org.apache.commons:commons-compress
Dependent packages: 2,934Dependent repositories: 23,921
Downloads:
Affected Version Ranges: >= 1.11, < 1.16
Fixed in: 1.16
All affected versions:
All unaffected versions: 1.4.1, 1.8.1, 1.16.1, 1.23.0, 1.24.0, 1.25.0, 1.26.0, 1.26.1, 1.26.2, 1.27.0, 1.27.1