Vulnerability in Apache Commons_compress
CVE-2019-12402
The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file…
EPSS: 0.162 (96.5th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
Affected products
- Apache Commons_compress
- Apache Software Foundation Commons Compress — versions 1.15 to 1.18
- Oracle Banking_payments
- Oracle Banking_platform — versions 2.6.2, 2.7.0, 2.8.0
- Oracle Communications_element_manager
- Oracle Communications_ip_service_activator — versions 7.3.0, 7.4.0
- Oracle Communications_session_report_manager
- Oracle Communications_session_route_manager
- Oracle Customer_management_and_segmentation_foundation — versions 18.0
- Oracle Essbase — versions 21.2
Weakness classification (CWE)
Public proof-of-concept exploits
References
- security@apache.org (mailing-list)
- security@apache.org (vendor-advisory)
- security@apache.org (vendor-advisory)
- security@apache.org (mailing-list)
- security@apache.org (mailing-list)
- security@apache.org (mailing-list)
- security@apache.org (mailing-list)
- security@apache.org (mailing-list)
- security@apache.org (mailing-list)
- security@apache.org (mailing-list)
Frequently asked questions
- What is CVE-2019-12402?
- CVE-2019-12402 is a high-severity vulnerability in Apache Commons_compress, classified under Loop with Unreachable Exit Condition (Infinite Loop). CVSS score: 7.5/10. Published 2019-08-30.
- How severe is CVE-2019-12402?
- High severity. CVSS v3 base score is 7.5 out of 10.
- Is CVE-2019-12402 known to be exploited?
- 8 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.