CVE-2018-1324

5.5MEDIUM

Key Information:

Vendor
Apache
Status
Apache Commons Compress
Vendor
CVE Published:
16 March 2018

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package.

Affected Version(s)

Apache Commons Compress 1.11 to 1.15

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2018-1324
Created by tafamace

References

http://www.securitytracker.com/id/1040549
vdb-entryx_refsource_SECTRACK
https://lists.apache.org/thread.html/1c7b6df6d1c5c8583518...
mailing-listx_refsource_MLIST
http://www.securityfocus.com/bid/103490
vdb-entryx_refsource_BID

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.