CVE-2018-11771

Name of the Vulnerable Software and Affected Versions Apache Commons Compress versions 1.7 through 1.17

Description The issue is related to the read method of Apache Commons Compress's ZipArchiveInputStream, which can fail to return the correct EOF indication after the end of the stream has been reached when reading a specially crafted ZIP archive. This can lead to an infinite stream when combined with a java.io.InputStreamReader, potentially allowing an attacker to mount a denial of service attack against services that use Compress' zip package.

Recommendations For Apache Commons Compress versions 1.7 through 1.17, consider updating to a version where this issue is fixed, as the current version can lead to a denial of service attack. As a temporary workaround, consider restricting the use of the ZipArchiveInputStream class until a patch is available. Avoid using the ZipArchiveInputStream class in combination with a java.io.InputStreamReader to minimize the risk of exploitation.