oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

[CVE-2019-12402] Apache Commons Compress denial of service vulnerability

From: Stefan Bodewig <bodewig () apache org>
Date: Tue, 27 Aug 2019 21:15:48 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Severity: Low

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Commons Compress 1.15 to 1.18

Description:
The file name encoding algorithm used internally in Apache Commons
Compress can get into an infinite loop when faced with specially
crafted inputs. This can lead to a denial of service attack if an
attacker can choose the file names inside of an archive created by
Compress.

Mitigation:
Commons Compress users should upgrade to 1.19 or later.

Credit:
This issue was discovered by Masaya Suzuki of Google.

References:
https://commons.apache.org/proper/commons-compress/security-reports.html

Stefan Bodewig
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAl1lgVkACgkQohFa4V9ri3Js/ACg2fvtHg9R8k7uoI3SlIaUDocs
afsAnRXOsfdKVRGoB28g4mSXSMRh8KHu
=HJty
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: