CVE-2019-12402

MEDIUM

Description

The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.

References

https://lists.apache.org/thread.html/[email protected]%3Cdev.commons.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.creadur.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.druid.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Csolr-user.lucene.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.brooklyn.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.flink.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Csolr-user.lucene.apache.org%3E

https://lists.fedoraproject.org/archives/list/[email protected]/message/QLJIK2AUOZOWXR3S5XXBUNMOF3RTHTI7/

https://lists.fedoraproject.org/archives/list/[email protected]/message/WZB3GB7YXIOUKIOQ27VTIP6KKGJJ3CKL/

https://www.oracle.com/security-alerts/cpuapr2020.html

https://www.oracle.com/security-alerts/cpujan2021.html

https://www.oracle.com/security-alerts/cpujul2020.html

https://www.oracle.com/security-alerts/cpuoct2020.html

Details

Source: MITRE

Published: 2019-08-30

Updated: 2021-01-20

Type: CWE-835

Risk Information

CVSS v2.0

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3.0

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Impact Score: 3.6

Exploitability Score: 3.9

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:apache:commons_compress:*:*:*:*:*:*:*:* versions from 1.15 to 1.18 (inclusive)

Tenable Plugins

View all (6 total)

IDNameProductFamilySeverity
147722JFrog < 6.23.0 Multiple VulnerabilitiesNessusMisc.
medium
145264Oracle WebLogic Server Multiple Vulnerabilities (Jan 2021 CPU)NessusMisc.
high
144307JFrog < 7.10.1 Multiple VulnerabilitiesNessusMisc.
high
135583Oracle Primavera Gateway (Apr 2020 CPU)NessusCGI abuses
high
130323Fedora 31 : apache-commons-compress (2019-da0eac1eb6)NessusFedora Local Security Checks
medium
130318Fedora 30 : apache-commons-compress (2019-c96a8d12b0)NessusFedora Local Security Checks
medium