Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2018-1324

A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package.

Published

2018-03-16T13:29:00.360

Last Modified

2024-11-21T03:59:37.757

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.5 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:N/I:N/A:P

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: PARTIAL

Exploitability Score

8.6

Impact Score

2.9

Weaknesses

Type: Primary
CWE-835

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	commons_compress	≤ 1.15	Yes
Application	oracle	mysql_cluster	≤ 7.4.34	Yes
Application	oracle	mysql_cluster	≤ 7.5.24	Yes
Application	oracle	mysql_cluster	≤ 7.6.20	Yes
Application	oracle	mysql_cluster	≤ 8.0.27	Yes
Application	oracle	weblogic_server	14.1.1.0.0	Yes

References

http://www.securityfocus.com/bid/103490 Third Party Advisory, VDB Entry ([email protected])
http://www.securitytracker.com/id/1040549 Third Party Advisory, VDB Entry ([email protected])
https://lists.apache.org/thread.html/1c7b6df6d1c5c8583518a0afa017782924918e4d6acfaf23ed5b2089%40%3Cdev.commons.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/b8ef29df0f1d55aa741170748352ae8e425c7b1d286b2f257711a2dd%40%3Cdev.creadur.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/r5532dc8d5456b5151e8c286801e2e5769f5c04118b29c3b5d13ea387%40%3Cissues.beam.apache.org%3E ([email protected])
https://www.oracle.com/security-alerts/cpujan2022.html Patch, Third Party Advisory ([email protected])
http://www.securityfocus.com/bid/103490 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id/1040549 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/1c7b6df6d1c5c8583518a0afa017782924918e4d6acfaf23ed5b2089%40%3Cdev.commons.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/b8ef29df0f1d55aa741170748352ae8e425c7b1d286b2f257711a2dd%40%3Cdev.creadur.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r5532dc8d5456b5151e8c286801e2e5769f5c04118b29c3b5d13ea387%40%3Cissues.beam.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujan2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)