CVE-2019-12402
First published: Tue Aug 27 2019(Updated: )
A resource consumption vulnerability was discovered in apache-commons-compress in the way NioZipEncoding encodes filenames. Applications that use Compress to create archives, with one of the filenames within the archive being controlled by the user, may be vulnerable to this flaw. A remote attacker could exploit this flaw to cause an infinite loop during the archive creation, thus leading to a denial of service.
Credit: security@apache.org security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/io.github.1tchy.java9modular.org.apache.commons:commons-compress | =1.18.1 | |
| maven/org.apache.commons:commons-compress | >=1.15<1.19 | 1.19 |
| redhat/apache-commons-compress | <1.19 | 1.19 |
| Apache Commons Compress | >=1.15<=1.18 | |
| Fedoraproject Fedora | =30 | |
| Fedoraproject Fedora | =31 | |
| Oracle Banking Payments | >=14.1.0<=14.4.0 | |
| Oracle Banking Platform | =2.6.2 | |
| Oracle Banking Platform | =2.7.0 | |
| Oracle Banking Platform | =2.8.0 | |
| Oracle Banking Platform | =2.9.0 | |
| Oracle Communications Element Manager | >=8.2.0<=8.2.2 | |
| Oracle Communications Ip Service Activator | =7.3.0 | |
| Oracle Communications Ip Service Activator | =7.4.0 | |
| Oracle Communications Session Report Manager | >=8.2.0<=8.2.2 | |
| Oracle Communications Session Route Manager | >=8.2.0<=8.2.2 | |
| Oracle Customer Management And Segmentation Foundation | =18.0 | |
| Oracle Essbase | =21.2 | |
| Oracle FLEXCUBE Investor Servicing | =12.1.0 | |
| Oracle FLEXCUBE Investor Servicing | =12.3.0 | |
| Oracle FLEXCUBE Investor Servicing | =12.4.0 | |
| Oracle FLEXCUBE Investor Servicing | =14.0.0 | |
| Oracle FLEXCUBE Investor Servicing | =14.1.0 | |
| Oracle FLEXCUBE Private Banking | =12.0.0 | |
| Oracle FLEXCUBE Private Banking | =12.1.0 | |
| Oracle Hyperion Infrastructure Technology | =11.1.2.4 | |
| Oracle JDeveloper | =12.2.1.4.0 | |
| Oracle Peoplesoft Enterprise Pt Peopletools | =8.56 | |
| Oracle Peoplesoft Enterprise Pt Peopletools | =8.57 | |
| Oracle Peoplesoft Enterprise Pt Peopletools | =8.58 | |
| Oracle Primavera Gateway | >=18.8.0<=18.8.8 | |
| Oracle Primavera Gateway | =19.12.0 | |
| Oracle Retail Integration Bus | =15.0 | |
| Oracle Retail Integration Bus | =16.0 | |
| Oracle Retail Xstore Point of Service | =15.0 | |
| Oracle Retail Xstore Point of Service | =16.0 | |
| Oracle Retail Xstore Point of Service | =17.0 | |
| Oracle Retail Xstore Point of Service | =18.0 | |
| Oracle Retail Xstore Point of Service | =19.0 | |
| Oracle WebCenter Portal | =12.2.1.3.0 | |
| Oracle WebCenter Portal | =12.2.1.4.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2019-12402
- https://lists.apache.org/thread.html/308cc15f1f1dc53e97046fddbac240e6cd16de89a2746cf257be7f5b@%3Cdev.commons.apache.org%3E
- https://lists.apache.org/thread.html/54cc4e9fa6b24520135f6fa4724dfb3465bc14703c7dc7e52353a0ea@%3Ccommits.creadur.apache.org%3E
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r05cf37c1e1e662e968cfece1102fcd50fe207181fdbf2c30aadfafd3@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E
- https://lists.apache.org/thread.html/r21d64797914001119d2fc766b88c6da181dc2308d20f14e7a7f46117@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r233267e24519bacd0f9fb9f61a1287cb9f4bcb6e75d83f34f405c521@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r25422df9ad22fec56d9eeca3ab8bd6d66365e9f6bfe311b64730edf5@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r4363c994c8bca033569a98da9218cc0c62bb695c1e47a98e5084e5a0@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r5103b1c9242c0f812ac96e524344144402cbff9b6e078d1557bc7b1e@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r590c15cebee9b8e757e2f738127a9a71e48ede647a3044c504e050a4@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r5caf4fcb69d2749225391e61db7216282955204849ba94f83afe011f@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r7af60fbd8b2350d49d14e53a3ab2801998b9d1af2d6fcac60b060a53@%3Cdev.brooklyn.apache.org%3E
- https://lists.apache.org/thread.html/r972f82d821b805d04602976a9736c01b6bf218cfe0c3f48b472db488@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/rcc35ab6be300365de5ff9587e0479d10d7d7c79070921837e3693162@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/rd3f99d732baed459b425fb0a9e9e14f7843c9459b12037e4a9d753b5@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/rdebc1830d6c09c11d5a4804ca26769dbd292d17d361c61dea50915f0@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/re13bd219dd4b651134f6357f12bd07a0344eea7518c577bbdd185265@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55@%3Csolr-user.lucene.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QLJIK2AUOZOWXR3S5XXBUNMOF3RTHTI7/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZB3GB7YXIOUKIOQ27VTIP6KKGJJ3CKL/
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://security.netapp.com/advisory/ntap-20230818-0001/
- https://github.com/jensdietrich/xshady-release/tree/main/CVE-2019-12402
- https://github.com/advisories/GHSA-53x6-4x5p-rrvv (Advisory)
- https://www.cve.org/CVERecord?id=CVE-2019-12402 https://nvd.nist.gov/vuln/detail/CVE-2019-12402
- https://bugzilla.redhat.com/show_bug.cgi?id=1764640
- https://access.redhat.com/errata/RHSA-2021:3140
- https://access.redhat.com/security/cve/cve-2019-12402
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1761797
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1764641
- https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commitdiff;h=4ad5d80a6272e007f64a6ac66829ca189a8093b9
- https://github.com/apache/commons-compress/blob/rel/1.15/RELEASE-NOTES.txt#L55
- https://issues.apache.org/jira/browse/COMPRESS-410
- https://github.com/apache/commons-compress/commit/cec72ce690353c90f3867191d7e657ba59ed2612#diff-8a69e197c08fae1d66ccd13fc61ff8c5L201
- https://github.com/apache/commons-compress/commit/a67bdc013c9fd965abaca375b9b47554a115f40e#diff-91e86934da9af58ac25a7a6f1c55e314L133
- https://lists.apache.org/thread.html/54cc4e9fa6b24520135f6fa4724dfb3465bc14703c7dc7e52353a0ea%40%3Ccommits.creadur.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLJIK2AUOZOWXR3S5XXBUNMOF3RTHTI7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZB3GB7YXIOUKIOQ27VTIP6KKGJJ3CKL/
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r5caf4fcb69d2749225391e61db7216282955204849ba94f83afe011f%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/rcc35ab6be300365de5ff9587e0479d10d7d7c79070921837e3693162%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/re13bd219dd4b651134f6357f12bd07a0344eea7518c577bbdd185265%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r5103b1c9242c0f812ac96e524344144402cbff9b6e078d1557bc7b1e%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r590c15cebee9b8e757e2f738127a9a71e48ede647a3044c504e050a4%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r05cf37c1e1e662e968cfece1102fcd50fe207181fdbf2c30aadfafd3%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/rdebc1830d6c09c11d5a4804ca26769dbd292d17d361c61dea50915f0%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/rd3f99d732baed459b425fb0a9e9e14f7843c9459b12037e4a9d753b5%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r21d64797914001119d2fc766b88c6da181dc2308d20f14e7a7f46117%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r233267e24519bacd0f9fb9f61a1287cb9f4bcb6e75d83f34f405c521%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r25422df9ad22fec56d9eeca3ab8bd6d66365e9f6bfe311b64730edf5%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r972f82d821b805d04602976a9736c01b6bf218cfe0c3f48b472db488%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r4363c994c8bca033569a98da9218cc0c62bb695c1e47a98e5084e5a0%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E
- https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55%40%3Csolr-user.lucene.apache.org%3E
- https://lists.apache.org/thread.html/r7af60fbd8b2350d49d14e53a3ab2801998b9d1af2d6fcac60b060a53%40%3Cdev.brooklyn.apache.org%3E
- https://lists.apache.org/thread.html/308cc15f1f1dc53e97046fddbac240e6cd16de89a2746cf257be7f5b%40%3Cdev.commons.apache.org%3E
Frequently Asked Questions
What is CVE-2019-12402?
CVE-2019-12402 is a vulnerability in Apache Commons Compress versions 1.15 to 1.18 that allows resource consumption attacks through a file name encoding algorithm.
What is the severity of CVE-2019-12402?
The severity of CVE-2019-12402 is high, with a CVSS severity score of 7.5.
Which software packages are affected by CVE-2019-12402?
Apache Commons Compress versions 1.15 to 1.18, io.github.1tchy.java9modular.org.apache.commons:commons-compress 1.18.1, and org.apache.commons:commons-compress versions 1.15 to 1.19 are affected by CVE-2019-12402.
How can an application be vulnerable to CVE-2019-12402?
Applications that use Compress to create archives, with one of the filenames within the archive being controlled by the user, may be vulnerable to CVE-2019-12402.
Where can I find more information about CVE-2019-12402?
You can find more information about CVE-2019-12402 on the CVE website (https://www.cve.org/CVERecord?id=CVE-2019-12402) and the NIST National Vulnerability Database (https://nvd.nist.gov/vuln/detail/CVE-2019-12402).
- collector/github-advisory-latest
- alias/GHSA-53x6-4x5p-rrvv
- alias/CVE-2019-12402
- collector/redhat-cve
- collector/github-advisory
- collector/nvd-api
- collector/nvd-index
- collector/nvd-cve
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- agent/remedy
- agent/weakness
- agent/references
- agent/severity
- agent/author
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/tags
- agent/event
- collector/mitre-cve
- source/MITRE
- package-manager/maven
- vendor/apache
- canonical/apache commons compress
- version/apache commons compress/1.15
- version/apache commons compress/1.18
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/30
- version/fedoraproject fedora/31
- vendor/oracle
- canonical/oracle banking payments
- version/oracle banking payments/14.1.0
- version/oracle banking payments/14.4.0
- canonical/oracle banking platform
- version/oracle banking platform/2.6.2
- version/oracle banking platform/2.7.0
- version/oracle banking platform/2.8.0
- version/oracle banking platform/2.9.0
- canonical/oracle communications element manager
- version/oracle communications element manager/8.2.0
- version/oracle communications element manager/8.2.2
- canonical/oracle communications ip service activator
- version/oracle communications ip service activator/7.3.0
- version/oracle communications ip service activator/7.4.0
- canonical/oracle communications session report manager
- version/oracle communications session report manager/8.2.0
- version/oracle communications session report manager/8.2.2
- canonical/oracle communications session route manager
- version/oracle communications session route manager/8.2.0
- version/oracle communications session route manager/8.2.2
- canonical/oracle customer management and segmentation foundation
- version/oracle customer management and segmentation foundation/18.0
- canonical/oracle essbase
- version/oracle essbase/21.2
- canonical/oracle flexcube investor servicing
- version/oracle flexcube investor servicing/12.1.0
- version/oracle flexcube investor servicing/12.3.0
- version/oracle flexcube investor servicing/12.4.0
- version/oracle flexcube investor servicing/14.0.0
- version/oracle flexcube investor servicing/14.1.0
- canonical/oracle flexcube private banking
- version/oracle flexcube private banking/12.0.0
- version/oracle flexcube private banking/12.1.0
- canonical/oracle hyperion infrastructure technology
- version/oracle hyperion infrastructure technology/11.1.2.4
- canonical/oracle jdeveloper
- version/oracle jdeveloper/12.2.1.4.0
- canonical/oracle peoplesoft enterprise pt peopletools
- version/oracle peoplesoft enterprise pt peopletools/8.56
- version/oracle peoplesoft enterprise pt peopletools/8.57
- version/oracle peoplesoft enterprise pt peopletools/8.58
- canonical/oracle primavera gateway
- version/oracle primavera gateway/18.8.0
- version/oracle primavera gateway/18.8.8
- version/oracle primavera gateway/19.12.0
- canonical/oracle retail integration bus
- version/oracle retail integration bus/15.0
- version/oracle retail integration bus/16.0
- canonical/oracle retail xstore point of service
- version/oracle retail xstore point of service/15.0
- version/oracle retail xstore point of service/16.0
- version/oracle retail xstore point of service/17.0
- version/oracle retail xstore point of service/18.0
- version/oracle retail xstore point of service/19.0
- canonical/oracle webcenter portal
- version/oracle webcenter portal/12.2.1.3.0
- version/oracle webcenter portal/12.2.1.4.0
- package-manager/redhat