First published: Tue Aug 27 2019(Updated: )
The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.
Credit: security@apache.org security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
maven/io.github.1tchy.java9modular.org.apache.commons:commons-compress | =1.18.1 | |
maven/org.apache.commons:commons-compress | >=1.15<1.19 | 1.19 |
redhat/apache-commons-compress | <1.19 | 1.19 |
Apache Commons Compress | >=1.15<=1.18 | |
Fedoraproject Fedora | =30 | |
Fedoraproject Fedora | =31 | |
Oracle Banking Payments | >=14.1.0<=14.4.0 | |
Oracle Banking Platform | =2.6.2 | |
Oracle Banking Platform | =2.7.0 | |
Oracle Banking Platform | =2.8.0 | |
Oracle Banking Platform | =2.9.0 | |
Oracle Communications Element Manager | >=8.2.0<=8.2.2 | |
Oracle Communications Ip Service Activator | =7.3.0 | |
Oracle Communications Ip Service Activator | =7.4.0 | |
Oracle Communications Session Report Manager | >=8.2.0<=8.2.2 | |
Oracle Communications Session Route Manager | >=8.2.0<=8.2.2 | |
Oracle Customer Management And Segmentation Foundation | =18.0 | |
Oracle Essbase | =21.2 | |
Oracle FLEXCUBE Investor Servicing | =12.1.0 | |
Oracle FLEXCUBE Investor Servicing | =12.3.0 | |
Oracle FLEXCUBE Investor Servicing | =12.4.0 | |
Oracle FLEXCUBE Investor Servicing | =14.0.0 | |
Oracle FLEXCUBE Investor Servicing | =14.1.0 | |
Oracle FLEXCUBE Private Banking | =12.0.0 | |
Oracle FLEXCUBE Private Banking | =12.1.0 | |
Oracle Hyperion Infrastructure Technology | =11.1.2.4 | |
Oracle JDeveloper | =12.2.1.4.0 | |
Oracle Peoplesoft Enterprise Pt Peopletools | =8.56 | |
Oracle Peoplesoft Enterprise Pt Peopletools | =8.57 | |
Oracle Peoplesoft Enterprise Pt Peopletools | =8.58 | |
Oracle Primavera Gateway | >=18.8.0<=18.8.8 | |
Oracle Primavera Gateway | =19.12.0 | |
Oracle Retail Integration Bus | =15.0 | |
Oracle Retail Integration Bus | =16.0 | |
Oracle Retail Xstore Point of Service | =15.0 | |
Oracle Retail Xstore Point of Service | =16.0 | |
Oracle Retail Xstore Point of Service | =17.0 | |
Oracle Retail Xstore Point of Service | =18.0 | |
Oracle Retail Xstore Point of Service | =19.0 | |
Oracle WebCenter Portal | =12.2.1.3.0 | |
Oracle WebCenter Portal | =12.2.1.4.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-12402 is a vulnerability in Apache Commons Compress versions 1.15 to 1.18 that allows resource consumption attacks through a file name encoding algorithm.
The severity of CVE-2019-12402 is high, with a CVSS severity score of 7.5.
Apache Commons Compress versions 1.15 to 1.18, io.github.1tchy.java9modular.org.apache.commons:commons-compress 1.18.1, and org.apache.commons:commons-compress versions 1.15 to 1.19 are affected by CVE-2019-12402.
Applications that use Compress to create archives, with one of the filenames within the archive being controlled by the user, may be vulnerable to CVE-2019-12402.
You can find more information about CVE-2019-12402 on the CVE website (https://www.cve.org/CVERecord?id=CVE-2019-12402) and the NIST National Vulnerability Database (https://nvd.nist.gov/vuln/detail/CVE-2019-12402).