Denial of Service Vulnerability in Apache Commons Compress Affects ZipFile and ZipArchiveInputStream
CVE-2018-1324

5.5MEDIUM

Key Information:

Vendor
Apache
Status
Apache Commons Compress
Vendor
CVE Published:
16 March 2018

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A specially crafted ZIP archive can trigger an infinite loop within the extra field parser of Apache Commons Compress, affecting the ZipFile and ZipArchiveInputStream classes. This flaw can be exploited to launch denial of service attacks on applications utilizing the zip handling features of the library. Versions from 1.11 to 1.15 are susceptible, emphasizing the need for immediate updates and safeguards in applications dependent on this library.

Affected Version(s)

Apache Commons Compress 1.11 to 1.15

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2018-1324
Created by tafamace

References

http://www.securitytracker.com/id/1040549
vdb-entryx_refsource_SECTRACK
https://lists.apache.org/thread.html/1c7b6df6d1c5c8583518...
mailing-listx_refsource_MLIST
http://www.securityfocus.com/bid/103490
vdb-entryx_refsource_BID

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.