CVE-2019-12402
First published: Tue Aug 27 2019(Updated: )
The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.
Credit: security@apache.org security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/io.github.1tchy.java9modular.org.apache.commons:commons-compress | =1.18.1 | |
| maven/org.apache.commons:commons-compress | >=1.15<1.19 | 1.19 |
| redhat/apache-commons-compress | <1.19 | 1.19 |
| Apache Commons Compress | >=1.15<=1.18 | |
| Fedoraproject Fedora | =30 | |
| Fedoraproject Fedora | =31 | |
| Oracle Banking Payments | >=14.1.0<=14.4.0 | |
| Oracle Banking Platform | =2.6.2 | |
| Oracle Banking Platform | =2.7.0 | |
| Oracle Banking Platform | =2.8.0 | |
| Oracle Banking Platform | =2.9.0 | |
| Oracle Communications Element Manager | >=8.2.0<=8.2.2 | |
| Oracle Communications Ip Service Activator | =7.3.0 | |
| Oracle Communications Ip Service Activator | =7.4.0 | |
| Oracle Communications Session Report Manager | >=8.2.0<=8.2.2 | |
| Oracle Communications Session Route Manager | >=8.2.0<=8.2.2 | |
| Oracle Customer Management And Segmentation Foundation | =18.0 | |
| Oracle Essbase | =21.2 | |
| Oracle FLEXCUBE Investor Servicing | =12.1.0 | |
| Oracle FLEXCUBE Investor Servicing | =12.3.0 | |
| Oracle FLEXCUBE Investor Servicing | =12.4.0 | |
| Oracle FLEXCUBE Investor Servicing | =14.0.0 | |
| Oracle FLEXCUBE Investor Servicing | =14.1.0 | |
| Oracle FLEXCUBE Private Banking | =12.0.0 | |
| Oracle FLEXCUBE Private Banking | =12.1.0 | |
| Oracle Hyperion Infrastructure Technology | =11.1.2.4 | |
| Oracle JDeveloper | =12.2.1.4.0 | |
| Oracle Peoplesoft Enterprise Pt Peopletools | =8.56 | |
| Oracle Peoplesoft Enterprise Pt Peopletools | =8.57 | |
| Oracle Peoplesoft Enterprise Pt Peopletools | =8.58 | |
| Oracle Primavera Gateway | >=18.8.0<=18.8.8 | |
| Oracle Primavera Gateway | =19.12.0 | |
| Oracle Retail Integration Bus | =15.0 | |
| Oracle Retail Integration Bus | =16.0 | |
| Oracle Retail Xstore Point of Service | =15.0 | |
| Oracle Retail Xstore Point of Service | =16.0 | |
| Oracle Retail Xstore Point of Service | =17.0 | |
| Oracle Retail Xstore Point of Service | =18.0 | |
| Oracle Retail Xstore Point of Service | =19.0 | |
| Oracle WebCenter Portal | =12.2.1.3.0 | |
| Oracle WebCenter Portal | =12.2.1.4.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2019-12402
- https://lists.apache.org/thread.html/308cc15f1f1dc53e97046fddbac240e6cd16de89a2746cf257be7f5b@%3Cdev.commons.apache.org%3E
- https://lists.apache.org/thread.html/54cc4e9fa6b24520135f6fa4724dfb3465bc14703c7dc7e52353a0ea@%3Ccommits.creadur.apache.org%3E
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r05cf37c1e1e662e968cfece1102fcd50fe207181fdbf2c30aadfafd3@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E
- https://lists.apache.org/thread.html/r21d64797914001119d2fc766b88c6da181dc2308d20f14e7a7f46117@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r233267e24519bacd0f9fb9f61a1287cb9f4bcb6e75d83f34f405c521@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r25422df9ad22fec56d9eeca3ab8bd6d66365e9f6bfe311b64730edf5@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r4363c994c8bca033569a98da9218cc0c62bb695c1e47a98e5084e5a0@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r5103b1c9242c0f812ac96e524344144402cbff9b6e078d1557bc7b1e@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r590c15cebee9b8e757e2f738127a9a71e48ede647a3044c504e050a4@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r5caf4fcb69d2749225391e61db7216282955204849ba94f83afe011f@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r7af60fbd8b2350d49d14e53a3ab2801998b9d1af2d6fcac60b060a53@%3Cdev.brooklyn.apache.org%3E
- https://lists.apache.org/thread.html/r972f82d821b805d04602976a9736c01b6bf218cfe0c3f48b472db488@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/rcc35ab6be300365de5ff9587e0479d10d7d7c79070921837e3693162@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/rd3f99d732baed459b425fb0a9e9e14f7843c9459b12037e4a9d753b5@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/rdebc1830d6c09c11d5a4804ca26769dbd292d17d361c61dea50915f0@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/re13bd219dd4b651134f6357f12bd07a0344eea7518c577bbdd185265@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55@%3Csolr-user.lucene.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QLJIK2AUOZOWXR3S5XXBUNMOF3RTHTI7/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZB3GB7YXIOUKIOQ27VTIP6KKGJJ3CKL/
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://security.netapp.com/advisory/ntap-20230818-0001/
- https://github.com/jensdietrich/xshady-release/tree/main/CVE-2019-12402
- https://github.com/advisories/GHSA-53x6-4x5p-rrvv (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1761797
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1764641
- https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commitdiff;h=4ad5d80a6272e007f64a6ac66829ca189a8093b9
- https://github.com/apache/commons-compress/blob/rel/1.15/RELEASE-NOTES.txt#L55
- https://issues.apache.org/jira/browse/COMPRESS-410
- https://github.com/apache/commons-compress/commit/cec72ce690353c90f3867191d7e657ba59ed2612#diff-8a69e197c08fae1d66ccd13fc61ff8c5L201
- https://github.com/apache/commons-compress/commit/a67bdc013c9fd965abaca375b9b47554a115f40e#diff-91e86934da9af58ac25a7a6f1c55e314L133
- https://access.redhat.com/errata/RHSA-2021:3140
- https://access.redhat.com/security/cve/cve-2019-12402
- https://bugzilla.redhat.com/show_bug.cgi?id=1764640
- https://www.cve.org/CVERecord?id=CVE-2019-12402 https://nvd.nist.gov/vuln/detail/CVE-2019-12402
Frequently Asked Questions
What is CVE-2019-12402?
CVE-2019-12402 is a vulnerability in Apache Commons Compress versions 1.15 to 1.18 that allows resource consumption attacks through a file name encoding algorithm.
What is the severity of CVE-2019-12402?
The severity of CVE-2019-12402 is high, with a CVSS severity score of 7.5.
Which software packages are affected by CVE-2019-12402?
Apache Commons Compress versions 1.15 to 1.18, io.github.1tchy.java9modular.org.apache.commons:commons-compress 1.18.1, and org.apache.commons:commons-compress versions 1.15 to 1.19 are affected by CVE-2019-12402.
How can an application be vulnerable to CVE-2019-12402?
Applications that use Compress to create archives, with one of the filenames within the archive being controlled by the user, may be vulnerable to CVE-2019-12402.
Where can I find more information about CVE-2019-12402?
You can find more information about CVE-2019-12402 on the CVE website (https://www.cve.org/CVERecord?id=CVE-2019-12402) and the NIST National Vulnerability Database (https://nvd.nist.gov/vuln/detail/CVE-2019-12402).
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/github-advisory
- alias/GHSA-53x6-4x5p-rrvv
- alias/CVE-2019-12402
- collector/github-advisory-latest
- collector/nvd-api
- collector/nvd-cve
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- collector/redhat-cve
- package-manager/maven
- vendor/apache
- canonical/apache commons compress
- version/apache commons compress/1.15
- version/apache commons compress/1.18
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/30
- version/fedoraproject fedora/31
- vendor/oracle
- canonical/oracle banking payments
- version/oracle banking payments/14.1.0
- version/oracle banking payments/14.4.0
- canonical/oracle banking platform
- version/oracle banking platform/2.6.2
- version/oracle banking platform/2.7.0
- version/oracle banking platform/2.8.0
- version/oracle banking platform/2.9.0
- canonical/oracle communications element manager
- version/oracle communications element manager/8.2.0
- version/oracle communications element manager/8.2.2
- canonical/oracle communications ip service activator
- version/oracle communications ip service activator/7.3.0
- version/oracle communications ip service activator/7.4.0
- canonical/oracle communications session report manager
- version/oracle communications session report manager/8.2.0
- version/oracle communications session report manager/8.2.2
- canonical/oracle communications session route manager
- version/oracle communications session route manager/8.2.0
- version/oracle communications session route manager/8.2.2
- canonical/oracle customer management and segmentation foundation
- version/oracle customer management and segmentation foundation/18.0
- canonical/oracle essbase
- version/oracle essbase/21.2
- canonical/oracle flexcube investor servicing
- version/oracle flexcube investor servicing/12.1.0
- version/oracle flexcube investor servicing/12.3.0
- version/oracle flexcube investor servicing/12.4.0
- version/oracle flexcube investor servicing/14.0.0
- version/oracle flexcube investor servicing/14.1.0
- canonical/oracle flexcube private banking
- version/oracle flexcube private banking/12.0.0
- version/oracle flexcube private banking/12.1.0
- canonical/oracle hyperion infrastructure technology
- version/oracle hyperion infrastructure technology/11.1.2.4
- canonical/oracle jdeveloper
- version/oracle jdeveloper/12.2.1.4.0
- canonical/oracle peoplesoft enterprise pt peopletools
- version/oracle peoplesoft enterprise pt peopletools/8.56
- version/oracle peoplesoft enterprise pt peopletools/8.57
- version/oracle peoplesoft enterprise pt peopletools/8.58
- canonical/oracle primavera gateway
- version/oracle primavera gateway/18.8.0
- version/oracle primavera gateway/18.8.8
- version/oracle primavera gateway/19.12.0
- canonical/oracle retail integration bus
- version/oracle retail integration bus/15.0
- version/oracle retail integration bus/16.0
- canonical/oracle retail xstore point of service
- version/oracle retail xstore point of service/15.0
- version/oracle retail xstore point of service/16.0
- version/oracle retail xstore point of service/17.0
- version/oracle retail xstore point of service/18.0
- version/oracle retail xstore point of service/19.0
- canonical/oracle webcenter portal
- version/oracle webcenter portal/12.2.1.3.0
- version/oracle webcenter portal/12.2.1.4.0
- package-manager/redhat