CVE-2018-11771

CWE-835 CWE-400 — Uncontrolled Resource Consumption13 documents8 sources

Severity

5.5MEDIUM

EPSS

1.1%

top 21.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Commons Compress Apache Software Foundation Apache Commons Compress Oracle Weblogic Server

Timeline

PublishedAug 16

Latest updateOct 19

Description

When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages5 packages

▶Mavenorg.apache.commons:commons-compress1.7 — 1.18

▶Debianlibcommons-compress-java< 1.18-1+3

▶NVDapache/commons_compress1.7.0 — 1.17.0

▶CVEListV5apache_software_foundation/apache_commons_compress1.7 to 1.17

▶NVDoracle/weblogic_server14.1.1.0.0

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

Moderate severity vulnerability that affects org.apache.commons:commons-compress↗2018-10-19

▶

GHSA

Moderate severity vulnerability that affects org.apache.commons:commons-compress↗2018-10-19

▶

CVEList

CVE-2018-11771: When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1↗2018-08-16

▶

OSV

CVE-2018-11771: When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1↗2018-08-16

▶

📋Vendor Advisories

Red Hat

apache-commons-compress: ZipArchiveInputStream.read() fails to identify correct EOF allowing for DoS via crafted zip↗2018-08-17

▶

Debian

CVE-2018-11771: libcommons-compress-java - When reading a specially crafted ZIP archive, the read method of Apache Commons ...↗2018

▶

Apache

Apache tika: CVE-2018-11771↗

▶

💬Community

Bugzilla

CVE-2018-11771 apache-commons-compress: ZipArchiveInputStream.read() fails to identify correct EOF allowing for DoS via crafted zip [fedora-all]↗2018-10-18

▶

Bugzilla

CVE-2018-11771 apache-commons-compress: ZipArchiveInputStream.read() fails to identify correct EOF allowing for DoS via crafted zip [fedora-all]↗2018-10-18

▶

Bugzilla

CVE-2018-11771 apache-commons-compress: ZipArchiveInputStream.read() fails to identify correct EOF allowing for DoS via crafted zip [fedora-all]↗2018-10-18

▶

Bugzilla

CVE-2018-11771 apache-commons-compress: ZipArchiveInputStream.read() fails to identify correct EOF allowing for DoS via crafted zip [fedora-all]↗2018-08-17

▶

Bugzilla

CVE-2018-11771 apache-commons-compress: ZipArchiveInputStream.read() fails to identify correct EOF allowing for DoS via crafted zip↗2018-08-17

▶