Vulnerability Details : CVE-2018-11771
When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package.
Vulnerability category: Denial of service
Products affected by CVE-2018-11771
- cpe:2.3:a:apache:commons_compress:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-11771
0.21%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 58 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-11771
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:N/A:P |
8.6
|
2.9
|
NIST | |
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
1.8
|
3.6
|
NIST |
CWE ids for CVE-2018-11771
-
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-11771
-
https://lists.apache.org/thread.html/f28052d04cb8dbaae39bfd3dc8438e58c2a8be306a3f381f4728d7c1@%3Ccommits.commons.apache.org%3E
[commons-compress] branch master updated: record CVE-2019-12402 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/f9cdd32af7d73e943452167d15801db39e8130409ebb9efb243b3f41@%3Ccommits.tinkerpop.apache.org%3E
[GitHub] [tinkerpop] justinchuch opened a new pull request #1199: Upgrade commons-compress to version 1.19 due to CVE-2018-11771 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/0adb631517766e793e18a59723e2df08ced41eb9a57478f14781c9f7@%3Cdev.tinkerpop.apache.org%3E
[GitHub] [tinkerpop] spmallette closed pull request #1199: Upgrade commons-compress to version 1.19 due to CVE-2018-11771 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/6c79965066c30d4e330e04d911d3761db41b82c89ae38d9a6b37a6f1@%3Cdev.tinkerpop.apache.org%3E
[GitHub] [tinkerpop] spmallette commented on issue #1199: Upgrade commons-compress to version 1.19 due to CVE-2018-11771 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/b907e70bc422905d7962fd18f863f746bf7b4e7ed9da25c148580c61@%3Cnotifications.commons.apache.org%3E
svn commit: r1049290 - in /websites/production/commons/content/proper/commons-compress: changes-report.html security-reports.html - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/3565494c263dfeb4dcb2a71cb24d09a1ca285cd6ac74edc025a3af8a@%3Ccommits.tinkerpop.apache.org%3E
[GitHub] [tinkerpop] spmallette merged pull request #1199: Upgrade commons-compress to version 1.19 due to CVE-2018-11771 - Pony MailMailing List;Vendor Advisory
-
https://www.oracle.com/security-alerts/cpujan2022.html
Oracle Critical Patch Update Advisory - January 2022Patch;Third Party Advisory
-
https://lists.apache.org/thread.html/c7954dc1e8fafd7ca1449f078953b419ebf8936e087f235f3bd024be@%3Ccommits.tinkerpop.apache.org%3E
[GitHub] [tinkerpop] justinchuch commented on issue #1199: Upgrade commons-compress to version 1.19 due to CVE-2018-11771 - Pony MailMailing List;Vendor Advisory
-
http://www.securityfocus.com/bid/105139
Apache Commons Compress CVE-2018-11771 Denial of Service VulnerabilityBroken Link
-
https://lists.apache.org/thread.html/714c6ac1b1b50f8557e7342903ef45f1538a7bc60a0b47d6e48c273d@%3Ccommits.tinkerpop.apache.org%3E
[GitHub] [tinkerpop] spmallette commented on issue #1199: Upgrade commons-compress to version 1.19 due to CVE-2018-11771 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
[GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/eeecc1669242b28a3777ae13c68b376b0148d589d3d8170340d61120@%3Cdev.tinkerpop.apache.org%3E
[GitHub] [tinkerpop] justinchuch commented on issue #1199: Upgrade commons-compress to version 1.19 due to CVE-2018-11771 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/b8da751fc0ca949534cdf2744111da6bb0349d2798fac94b0a50f330@%3Cannounce.apache.org%3E
Pony Mail!Mailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/35f60d6d0407c13c39411038ba1aca71d92595ed7041beff4d07f2ee@%3Ccommits.tinkerpop.apache.org%3E
[GitHub] [tinkerpop] robertdale commented on issue #1199: Upgrade commons-compress to version 1.19 due to CVE-2018-11771 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/b8ef29df0f1d55aa741170748352ae8e425c7b1d286b2f257711a2dd@%3Cdev.creadur.apache.org%3E
[Discuss] RAT-244 - update to language level 1.7 due to CVE issues in RAT - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/e3eae9e6fc021c4c22dda59a335d21c12eecab480b48115a2f098ef6@%3Ccommits.tinkerpop.apache.org%3E
[GitHub] [tinkerpop] spmallette commented on issue #1199: Upgrade commons-compress to version 1.19 due to CVE-2018-11771 - Pony MailMailing List;Vendor Advisory
-
http://www.securitytracker.com/id/1041503
Apache Commons Compress Error in Parsing ZIP Archives Lets Remote Users Deny Service - SecurityTrackerBroken Link
Jump to