Описание
The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.
A resource consumption vulnerability was discovered in apache-commons-compress in the way NioZipEncoding encodes filenames. Applications that use Compress to create archives, with one of the filenames within the archive being controlled by the user, may be vulnerable to this flaw. A remote attacker could exploit this flaw to cause an infinite loop during the archive creation, thus leading to a denial of service.
Отчет
This issue does not affect the versions of apache-commons-compress as shipped with Red Hat Enterprise Linux 7, and the versions of rh-java-common-apache-commons-compress and rh-maven35-apache-commons-compress as shipped with Red Hat Software Collections 3, as they used a fallback zip encoding implementation (leveraging java.io) to encode filenames. This issue does not affect the versions of rh-maven36-apache-commons-compress as shipped with Red Hat Software Collection 3 as they already include the patch.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| A-MQ Clients 2 | apache-commons-compress | Not affected | ||
| Red Hat BPM Suite 6 | apache-commons-compress | Not affected | ||
| Red Hat Data Grid 8 | apache-commons-compress | Not affected | ||
| Red Hat Decision Manager 7 | apache-commons-compress | Not affected | ||
| Red Hat Enterprise Linux 7 | apache-commons-compress | Not affected | ||
| Red Hat Integration Camel K 1 | apache-commons-compress | Not affected | ||
| Red Hat Integration Service Registry | apache-commons-compress | Not affected | ||
| Red Hat JBoss BRMS 6 | apache-commons-compress | Not affected | ||
| Red Hat JBoss Data Virtualization 6 | apache-commons-compress | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform 6 | apache-commons-compress | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.
The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.
The file name encoding algorithm used internally in Apache Commons Com ...
Уязвимость архиватора Apache Commons Compress, связанная с ошибками управления ресурсом, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
7.5 High
CVSS3