GHSA-hrmr-f5m6-m9pq

Suggest an improvement
Source
https://github.com/advisories/GHSA-hrmr-f5m6-m9pq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-hrmr-f5m6-m9pq/GHSA-hrmr-f5m6-m9pq.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hrmr-f5m6-m9pq
Aliases
Published
2018-10-19T16:41:27Z
Modified
2024-06-05T17:33:15.862538Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Moderate severity vulnerability that affects org.apache.commons:commons-compress
Details

When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package.

Database specific
{
    "nvd_published_at": "2018-08-16T15:29:00Z",
    "cwe_ids": [
        "CWE-835"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:40:55Z"
}
References

Affected packages

Maven / org.apache.commons:commons-compress

Package

Name
org.apache.commons:commons-compress
View open source insights on deps.dev
Purl
pkg:maven/org.apache.commons/commons-compress

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.7
Fixed
1.18

Affected versions

1.*

1.7
1.8
1.8.1
1.9
1.10
1.11
1.12
1.13
1.14
1.15
1.16
1.16.1
1.17