Vulnerability found in org.apache.commons:commons-compress

Question

Vulnerability found in org.apache.commons:commons-compress

Closed this issue 5 years ago · 0 comments

Details

CVE-2019-12402

Vulnerable versions: >= 1.15, < 1.19
Patched version: 1.19

The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.

Remediation

Upgrade org.apache.commons:commons-compress to version 1.19 or later. For example:

<dependency>
  <groupId>org.apache.commons</groupId>
  <artifactId>commons-compress</artifactId>
  <version>[1.19,)</version>
</dependency>

Always verify the validity and compatibility of suggestions with your codebase.