CVE-2019-12402 – io.github.1tchy.java9modular.org.apache.commons:commons-compress

Package

Manager: maven
Name: io.github.1tchy.java9modular.org.apache.commons:commons-compress
Vulnerable Version: =1.18.1

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00149 pctl0.35998

Details

Denial of Service in Apache Commons Compress The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.

Metadata

Created: 2019-10-11T18:41:08Z
Modified: 2021-06-15T17:21:48Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/10/GHSA-53x6-4x5p-rrvv/GHSA-53x6-4x5p-rrvv.json
CWE IDs: ["CWE-835"]
Alternative ID: GHSA-53x6-4x5p-rrvv
Finding: F138
Auto approve: 1