11 matches found
CVE-2024-26308
CVE-2024-26308 affects Apache Commons Compress: Allocation of Resources Without Limits or Throttling. The IBM bulletin lists the vulnerability as present in Apache Commons Compress 1.21 through 1.25.x and fixes it in 1.26. Impact is resource exhaustion/denial of service with a base score of 5.5 (...
CVE-2023-42503
CVE-2023-42503: In Apache Commons Compress TAR parsing, improper input validation of pax header time fields (atime/mtime/ctime/LIBARCHIVE.creationtime) can be exploited to trigger denial-of-service via CPU exhaustion. A malformed TAR file crafted with extreme fractional times (or exponent notatio...
CVE-2024-25710
CVE-2024-25710 describes a Loop with Unreachable Exit Condition (Infinite Loop) in Apache Commons Compress, affecting versions 1.3 through 1.25.0. The issue is identified as a vulnerability in the compression library, with impact details indicating high severity in some advisories and a 5.5–8.1 C...
CVE-2021-36090
CVE-2021-36090 affects Apache Commons Compress zip handling: reading a specially crafted ZIP can allocate excessive memory, causing an out-of-memory DoS. Supported details from IBM/AWS advisories point to a fix in Commons Compress (upgrade to 1.21+; e.g., Amazon Linux advisories list apache-commo...
CVE-2021-35515
CVE-2021-35515 is an infinite-loop denial-of-service in Apache Commons Compress when reading a crafted 7Z archive. The issue arises during the construction of the codecs list used to decompress an entry, potentially consuming unbounded CPU and impacting services that rely on the sevenz package. C...
CVE-2021-35517
CVE-2021-35517 affects Apache Commons Compress tar handling. The vulnerability, triggered by reading a specially crafted TAR archive, can cause Compress to allocate excessive memory, potentially leading to an out-of-memory condition and a denial-of-service against services using Compress’ tar pac...
CVE-2021-35516
CVE-2021-35516 affects Apache Commons Compress (the sevenz package). A specially crafted 7Z archive can cause the library to allocate excessive memory, ultimately causing an out-of-memory condition and a denial-of-service on services that use Compress’ sevenz component. The initial description do...
CVE-2019-12402
CVE-2019-12402 affects Apache Commons Compress 1.15–1.18, where the internal file-name encoding can loop infinitely and cause DoS when processing crafted archives. Connected docs show multiple vendors referencing this CVE in product advisories (e.g., Atlassian Confluence with dependency notes; IB...
CVE-2012-2098
CVE-2012-2098 affects Apache Commons Compress (BZip2CompressorOutputStream). The vulnerability is an algorithmic complexity in the sorting routines used by the bzip2 stream, allowing an attacker to cause CPU exhaustion (DoS) by feeding input with many repeating patterns. Affected product: Apache ...
CVE-2018-11771
CVE-2018-11771 affects the Apache Commons Compress ZipArchiveInputStream (versions 1.7 through 1.17). The issue is that reading a specially crafted ZIP archive may fail to return a correct EOF indication after the stream ends, which when combined with a java.io.InputStreamReader can lead to an in...
CVE-2018-1324
CVE-2018-1324 : Apache Commons Compress multiple advisories describe an infinite‑loop DoS in the Zip extra field parser used by ZipFile/ZipArchiveInputStream (versions 1.11–1.15). A specially crafted ZIP can cause an infinite loop, impacting services that use the library. Public docs confirm this...