CVE-2018-11771

5.5MEDIUM

Key Information:

Vendor
Apache
Status
Apache Commons Compress
Vendor
CVE Published:
16 August 2018

Summary

When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package.

Affected Version(s)

Apache Commons Compress 1.7 to 1.17

References

http://www.securityfocus.com/bid/105139
vdb-entryx_refsource_BID
https://lists.apache.org/thread.html/b8da751fc0ca949534cd...
mailing-listx_refsource_MLIST
http://www.securitytracker.com/id/1041503
vdb-entryx_refsource_SECTRACK

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.