CVE-2019-12402

Name of the Vulnerable Software and Affected Versions Apache Commons Compress versions 1.15 through 1.18 Confluence Data Center versions from 7.19.23 to 8.9.3 Confluence Data Center versions from 8.5.10 to 8.5.11 Confluence Server versions from 7.19.23 to 7.19.24 Confluence Server versions from 8.5.10 to 8.5.11

Description The file name encoding algorithm used in Apache Commons Compress can get into an infinite loop when faced with specially crafted inputs, leading to a denial of service attack. An unauthenticated attacker can expose assets in the environment susceptible to exploitation with no impact to confidentiality, no impact to integrity, and high impact to availability, requiring no user interaction.

Recommendations For Apache Commons Compress versions 1.15 through 1.18, consider upgrading to a version outside of this range to mitigate the risk. For Confluence Data Center versions from 7.19.23 to 7.19.24, upgrade to version 8.9.4, 8.5.12 LTS, or 7.19.25 LTS. For Confluence Data Center versions from 8.5.10 to 8.5.11, upgrade to version 8.9.4 or 8.5.12 LTS. For Confluence Data Center versions from 8.9.2 to 8.9.3, upgrade to version 8.9.4. For Confluence Server versions from 7.19.23 to 7.19.24, upgrade to version 8.5.12 LTS or 7.19.25 LTS. For Confluence Server versions from 8.5.10 to 8.5.11, upgrade to version 8.5.12 LTS.