Uncontrolled Resource Consumption Vulnerability in Apache Commons IO
CVE-2024-47554

4.3MEDIUM

Key Information:

Vendor: Apache
Status: Apache Commons Io
Vendor: CVE Published:; 3 October 2024

Summary

The vulnerability in the org.apache.commons.io.input.XmlStreamReader class can lead to excessive CPU resource consumption due to the processing of specially crafted input. This behavior may create significant performance issues, particularly when handling untrusted XML data. To mitigate this risk, it is recommended that users upgrade to Apache Commons IO version 2.14.0 or later, where this issue has been addressed. Proper security measures should be considered when dealing with external inputs to prevent potential exploitation.

Affected Version(s)

Apache Commons IO 2.0 < 2.14.0

References

https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp3...

vendor-advisory

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Oct 3, 2024
Vulnerability Reserved
Sep 26, 2024

Credit

CodeQL