CVE-2018-1324
Severity
5.5MEDIUM
EPSS
1.7%
top 17.91%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 16
Latest updateJan 15
Description
A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package.
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6
Affected Packages7 packages
Patches
🔴Vulnerability Details
4OSV▶
CVE-2018-1324: A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and Zi↗2018-03-16
CVEList▶
CVE-2018-1324: A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and Zi↗2018-03-16
📋Vendor Advisories
4Oracle▶
Oracle Oracle Fusion Middleware Risk Matrix: WLST (Apache Commons Compress) — CVE-2018-1324↗2022-01-15
Red Hat▶
apache-commons-compress: Infinite loop via extra field parser in ZipFile and ZipArchiveInputStream classes↗2018-03-16
Debian▶
CVE-2018-1324: libcommons-compress-java - A specially crafted ZIP archive can be used to cause an infinite loop inside of ...↗2018