Severity
7.5HIGH
EPSS
0.4%
top 38.09%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedAug 30
Latest updateJul 16
Description
The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6
Affected Packages21 packages
Also affects: Fedora 30, 31
🔴Vulnerability Details
4📋Vendor Advisories
9Atlassian▶
CVE-2019-12402: DoS (Denial of Service) org.apache.commons:commons-compress Dependency in Confluence Data Center and Server↗2024-07-16
Oracle▶
Oracle Oracle Essbase Risk Matrix: Infrastructure (Apache Commons Compress) — CVE-2019-12402↗2021-07-15
Oracle▶
Oracle Oracle Fusion Middleware Risk Matrix: Security Framework (Apache Commons Compress) — CVE-2019-12402↗2021-04-15
Oracle▶
Oracle Oracle Financial Services Applications Risk Matrix: Party, Financials (Apache Commons Compress) — CVE-2019-12402↗2021-01-15
Oracle▶
Oracle Oracle Communications Risk Matrix: Core (Apache Commons Compress) — CVE-2019-12402↗2020-10-15
💬Community
3Bugzilla▶
CVE-2019-12402 apache-commons-compress: Infinite loop in name encoding algorithm [fedora-all]↗2019-10-23
Bugzilla
▶