PT-2017-4078 · Apache · Apache Commons Compress

Published

2017-12-07

Updated

2022-04-18

CVE-2018-1324

CVSS v3.1

5.5

Medium

Vector

AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Apache Commons Compress versions 1.11 through 1.15

Description A specially crafted ZIP archive can cause an infinite loop inside Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes. This can be used to mount a denial of service attack against services that use Compress' zip package.

Recommendations For versions 1.11 through 1.15, consider disabling the ZipFile and ZipArchiveInputStream classes until a patch is available to prevent potential denial of service attacks. As a temporary workaround, restrict the use of ZIP archives from untrusted sources to minimize the risk of exploitation.

Exploit

Fix

DoS

Infinite Loop

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-835

Related Identifiers

BDU:2021-01429

CVE-2018-1324

GHSA-H436-432X-8FVX

MGASA-2019-0001

Affected Products

Apache Commons Compress

PT-2017-4078 · Apache · Apache Commons Compress

CVE-2018-1324

Weakness Enumeration

Related Identifiers

Affected Products

References · 34