Lucene search

K
ubuntucveUbuntu.comUB:CVE-2018-11771
HistoryAug 16, 2018 - 12:00 a.m.

CVE-2018-11771

2018-08-1600:00:00
ubuntu.com
ubuntu.com
17
cve-2018-11771
zip archive vulnerability
ziparchiveinputstream
denial of service
apache commons compress
java
inputstreamreader
debian
compress-463
bug

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

50.7%

When reading a specially crafted ZIP archive, the read method of Apache
Commons Compress 1.7 to 1.17’s ZipArchiveInputStream can fail to return the
correct EOF indication after the end of the stream has been reached. When
combined with a java.io.InputStreamReader this can lead to an infinite
stream, which can be used to mount a denial of service attack against
services that use Compress’ zip package.

Bugs

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

50.7%