oss-sec mailing list archives
[CVE-2019-12402] Apache Commons Compress denial of service vulnerability
From: Stefan Bodewig <bodewig () apache org>
Date: Tue, 27 Aug 2019 21:15:48 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Commons Compress 1.15 to 1.18 Description: The file name encoding algorithm used internally in Apache Commons Compress can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress. Mitigation: Commons Compress users should upgrade to 1.19 or later. Credit: This issue was discovered by Masaya Suzuki of Google. References: https://commons.apache.org/proper/commons-compress/security-reports.html Stefan Bodewig -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAl1lgVkACgkQohFa4V9ri3Js/ACg2fvtHg9R8k7uoI3SlIaUDocs afsAnRXOsfdKVRGoB28g4mSXSMRh8KHu =HJty -----END PGP SIGNATURE-----
Current thread:
- [CVE-2019-12402] Apache Commons Compress denial of service vulnerability Stefan Bodewig (Aug 27)