PT-2017-4078 · Apache · Apache Commons Compress

Publicado

2017-12-07

Atualizado

2022-04-18

CVE-2018-1324

CVSS v3.1

5.5

Média

Vetor

AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Apache Commons Compress versions 1.11 through 1.15

Description A specially crafted ZIP archive can cause an infinite loop inside Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes. This can be used to mount a denial of service attack against services that use Compress' zip package.

Recommendations For versions 1.11 through 1.15, consider disabling the ZipFile and ZipArchiveInputStream classes until a patch is available to prevent potential denial of service attacks. As a temporary workaround, restrict the use of ZIP archives from untrusted sources to minimize the risk of exploitation.

Exploit

Correção

DoS

Infinite Loop

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-835

Identificadores relacionados

BDU:2021-01429

CVE-2018-1324

GHSA-H436-432X-8FVX

MGASA-2019-0001

Produtos afetados

Apache Commons Compress

PT-2017-4078 · Apache · Apache Commons Compress

CVE-2018-1324

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 34