CVE-2018-1324

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 16-03-2018 02:29

Last modified: - 18-04-2022 04:27

Total changes: - 4

Description

A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Low

Attack complexity

Local

Attack vector

High

Availability

None

Confidentiality

None

Integrity

None

Privileges required

Unchanged

Scope

Required

User interaction

5.5

Base score

1.8

3.6

Exploitability score

Impact score

Verification logic

vendor=apache AND product=commons_compress AND versionEndIncluding=1.15 AND versionStartIncluding=1.11

vendor=oracle AND product=mysql_cluster AND versionEndIncluding=7.4.34

vendor=oracle AND product=mysql_cluster AND versionEndIncluding=7.5.24 AND versionStartIncluding=7.5.0

vendor=oracle AND product=mysql_cluster AND versionEndIncluding=7.6.20 AND versionStartIncluding=7.6.0

vendor=oracle AND product=mysql_cluster AND versionEndIncluding=8.0.27 AND versionStartIncluding=8.0.0

vendor=oracle AND product=weblogic_server AND version=14.1.1.0.0

Reference

[dev] 20180316 [CVE-2018-1324] Apache Commons Compress denial of service vulnerability-Mailing List, Vendor Advisory
1040549-Third Party Advisory, VDB Entry
103490-Third Party Advisory, VDB Entry
[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1-Mailing List, Vendor Advisory
[creadur-dev] 20190530 [Discuss] RAT-244 - update to language level 1.7 due to CVE issues in RAT-Mailing List, Vendor Advisory
[beam-issues] 20200421 [jira] [Closed] (BEAM-3873) Current version of commons-compress is DOS vulnerable CVE-2018-1324-Mailing List, Vendor Advisory
https://www.oracle.com/security-alerts/cpujan2022.html

Keywords

CVE-2018-1324

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2018-1324

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures