Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2018-1324

UNKNOWN
Published 2018-03-16T13:00:00Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2018-1324. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Apache Software Foundation

Apache Commons Compress

Affected Versions:

1.11 to 1.15

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed MODERATE

Apache Commons Compress vulnerable to denial of service due to infinite loop

GHSA-h436-432x-8fvx

Advisory Details

A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package.

Affected Packages

Maven org.apache.commons:commons-compress
ECOSYSTEM: ≥1.11 <1.16
Maven com.liferay:com.liferay.portal.tools.bundle.support
ECOSYSTEM: ≥3.2.7 <3.7.4
Maven io.takari:commons-compress

CVSS Scoring

CVSS Score

5.0

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2018-1324
WEB https://github.com/apache/commons-compress/commit/2a2f1dc48e22a34ddb72321a4db211da91aa933b
WEB https://arxiv.org/pdf/2306.05534.pdf
ADVISORY https://github.com/advisories/GHSA-h436-432x-8fvx
PACKAGE https://github.com/apache/commons-compress
WEB https://github.com/jensdietrich/xshady-release/tree/main/CVE-2018-1324
WEB https://lists.apache.org/thread.html/1c7b6df6d1c5c8583518a0afa017782924918e4d6acfaf23ed5b2089@%3Cdev.commons.apache.org%3E
WEB https://lists.apache.org/thread.html/b8ef29df0f1d55aa741170748352ae8e425c7b1d286b2f257711a2dd@%3Cdev.creadur.apache.org%3E
WEB https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
WEB https://lists.apache.org/thread.html/r5532dc8d5456b5151e8c286801e2e5769f5c04118b29c3b5d13ea387@%3Cissues.beam.apache.org%3E

Advisory provided by GitHub Security Advisory Database. Published: March 14, 2019, Modified: February 27, 2024

References

http://www.securitytracker.com/id/1040549
https://lists.apache.org/thread.html/1c7b6df6d1c5c8583518a0afa017782924918e4d6acfaf23ed5b2089%40%3Cdev.commons.apache.org%3E
http://www.securityfocus.com/bid/103490
https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E
https://lists.apache.org/thread.html/b8ef29df0f1d55aa741170748352ae8e425c7b1d286b2f257711a2dd%40%3Cdev.creadur.apache.org%3E
https://lists.apache.org/thread.html/r5532dc8d5456b5151e8c286801e2e5769f5c04118b29c3b5d13ea387%40%3Cissues.beam.apache.org%3E
https://www.oracle.com/security-alerts/cpujan2022.html
Published: 2018-03-16T13:00:00Z
Last Modified: 2024-09-17T03:59:32.872Z
Copied to clipboard!