Denial of Service Vulnerability in Apache Commons Compress by Apache
CVE-2019-12402

7.5HIGH

Key Information:

Vendor

Apache
Status
Apache Commons Compress
Vendor
CVE Published:
30 August 2019

What is CVE-2019-12402?

The vulnerability in Apache Commons Compress versions 1.15 to 1.18 involves a file name encoding algorithm that can enter an infinite loop when processing specially crafted input. This flaw can be exploited by an attacker to induce a denial of service (DoS) condition, especially if they can control the file names within an archive crafted using the Compress library. Organizations utilizing affected versions should consider upgrading to a patched version to mitigate this risk.

Affected Version(s)

Apache Commons Compress 1.15 to 1.18

References

https://lists.apache.org/thread.html/54cc4e9fa6b24520135f...
mailing-list
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisory
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisory

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.