[MAVEN:GHSA-H436-432X-8FVX] Apache Commons Compress vulnerable to denial of service due to infinite loop

Severity Moderate

Affected Packages 3

Fixed Packages 2

CVEs 1

A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package.

Package	Affected Version
pkg:maven/org.apache.commons/commons-compress	>= 1.11, < 1.16
pkg:maven/io.takari/commons-compress	= 1.12
pkg:maven/com.liferay/com.liferay.portal.tools.bundle.support	>= 3.2.7, < 3.7.4

Package	Fixed Version
pkg:maven/org.apache.commons/commons-compress	= 1.16
pkg:maven/com.liferay/com.liferay.portal.tools.bundle.support	= 3.7.4

ID

MAVEN:GHSA-H436-432X-8FVX

Severity

moderate

URL

https://github.com/advisories/GHSA-h436-432x-8fvx

Published

2019-03-14T15:41:12
(5 years ago)

Modified

2023-11-02T21:36:42
(10 months ago)

Rights

Maven Security Team

Other Advisories

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2018-1324
			https://github.com/advisories/GHSA-h436-432x-8fvx
			https://lists.apache.org/thread.html/1c7b6df6d1c5c8583518a0afa017782924918e4d6acfaf23ed5b2089@%3Cdev.commons.apache.org%3E
			https://lists.apache.org/thread.html/b8ef29df0f1d55aa741170748352ae8e425c7b1d286b2f257711a2dd@%3Cdev.creadur.apache.org%3E
			https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
			https://lists.apache.org/thread.html/r5532dc8d5456b5151e8c286801e2e5769f5c04118b29c3b5d13ea387@%3Cissues.beam.apache.org%3E
			https://arxiv.org/pdf/2306.05534.pdf
			https://github.com/jensdietrich/xshady-release/tree/main/CVE-2018-1324

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/org.apache.commons/commons-compress	org.apache.commons	commons-compress	>= 1.11 < 1.16
Fixed	pkg:maven/org.apache.commons/commons-compress	org.apache.commons	commons-compress	= 1.16
Affected	pkg:maven/io.takari/commons-compress	io.takari	commons-compress	= 1.12
Affected	pkg:maven/com.liferay/com.liferay.portal.tools.bundle.support	com.liferay	com.liferay.portal.tools.bundle.support	>= 3.2.7 < 3.7.4
Fixed	pkg:maven/com.liferay/com.liferay.portal.tools.bundle.support	com.liferay	com.liferay.portal.tools.bundle.support	= 3.7.4

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date