CVE-2018-1324 - A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compr

CVE-2018-1324

Summary

A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package.

References

Vulnerable Configurations

cpe:2.3:a:apache:commons_compress:1.11:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.11:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.12:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.12:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.13:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.13:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.14:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.14:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.15:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.15:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:-:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:-:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.1:beta:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.1:beta:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.2:beta:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.2:beta:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.6:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.6:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.7:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.7:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.8:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.8:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.9:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.9:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.10:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.10:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.12:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.12:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.13:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.13:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.14:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.14:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.15:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.15:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.16:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.16:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.17:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.17:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.18:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.18:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.19:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.19:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.20:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.20:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.21:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.21:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.22:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.22:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.23:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.23:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.24:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.24:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.25:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.25:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.26:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.26:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.27:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.2.27:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.3.1:m2:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.3.1:m2:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.3.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.3.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.3.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.3.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.3.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.3.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.3.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.3.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.3.6:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.3.6:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.3.7:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.3.7:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.3.8:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.3.8:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.3.9:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.3.9:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.3.10:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.3.10:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.3.11:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.3.11:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.3.12:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.3.12:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.3.13:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.3.13:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.3.14:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.3.14:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.3.15:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.3.15:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.3.16:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.3.16:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.3.30:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.3.30:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.4.1:m1:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.4.1:m1:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.4.2:m2:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.4.2:m2:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.4.3:rc:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.4.3:rc:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.4.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.4.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.4.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.4.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.4.6:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.4.6:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.4.7:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.4.7:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.4.8:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.4.8:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.4.9:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.4.9:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.4.10:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.4.10:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.4.11:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.4.11:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.4.12:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.4.12:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.4.13:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.4.13:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.4.14:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.4.14:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.4.29:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.4.29:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.4.33:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.4.33:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.4.34:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.4.34:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.5.0:m1:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.5.0:m1:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.5.1:m2:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.5.1:m2:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.5.2:m3:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.5.2:m3:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.5.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.5.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.5.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.5.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.5.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.5.5:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.5.19:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.5.19:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.5.23:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.5.23:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.5.24:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.5.24:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.6.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.6.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.6.15:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.6.15:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.6.19:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:7.6.19:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:8.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:8.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:8.0.21:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:8.0.21:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:8.0.23:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:8.0.23:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:8.0.25:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:8.0.25:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:8.0.26:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:8.0.26:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:8.0.27:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_cluster:8.0.27:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*

CVSS

Base:	4.3 (as of 18-04-2022 - 14:27)
Impact:
Exploitability:

CWE

CWE-835

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
NONE	NONE	PARTIAL

cvss-vector via4

AV:N/AC:M/Au:N/C:N/I:N/A:P

refmap via4

bid	103490
mlist	[beam-issues] 20200421 [jira] [Closed] (BEAM-3873) Current version of commons-compress is DOS vulnerable CVE-2018-1324 [creadur-dev] 20190530 [Discuss] RAT-244 - update to language level 1.7 due to CVE issues in RAT [dev] 20180316 [CVE-2018-1324] Apache Commons Compress denial of service vulnerability [pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1
sectrack	1040549

Last major update

18-04-2022 - 14:27

Published

16-03-2018 - 13:29

Last modified

18-04-2022 - 14:27