CVE-2019-12402 - The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get int

CVE-2019-12402

Summary

The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.

References

Vulnerable Configurations

cpe:2.3:a:apache:commons_compress:1.15:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.15:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.16:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.16:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.16.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.16.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.17:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.17:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.18:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_compress:1.18:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_investor_servicing:12.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_investor_servicing:12.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_investor_servicing:12.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_investor_servicing:12.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_integration_bus:15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_integration_bus:15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_investor_servicing:12.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_investor_servicing:12.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_pt_peopletools:8.56:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_pt_peopletools:8.56:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_investor_servicing:14.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_investor_servicing:14.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_integration_bus:16.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_integration_bus:16.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_investor_servicing:14.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_investor_servicing:14.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_ip_service_activator:7.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_ip_service_activator:7.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_ip_service_activator:7.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_ip_service_activator:7.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_payments:14.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_payments:14.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_payments:14.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_payments:14.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_payments:14.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_payments:14.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.1.2.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.1.2.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_gateway:19.12.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_gateway:19.12.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_gateway:18.8.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_gateway:18.8.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_gateway:18.8.8:*:*:*:*:*:*:*
cpe:2.3:a:oracle:primavera_gateway:18.8.8:*:*:*:*:*:*:*
cpe:2.3:a:oracle:customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_platform:2.8.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_platform:2.8.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_session_route_manager:8.2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_session_route_manager:8.2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_session_route_manager:8.2.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_session_route_manager:8.2.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_session_report_manager:8.2.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_session_report_manager:8.2.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_element_manager:8.2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_element_manager:8.2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_element_manager:8.2.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_element_manager:8.2.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_pt_peopletools:8.57:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_pt_peopletools:8.57:*:*:*:*:*:*:*
cpe:2.3:a:oracle:essbase:21.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:essbase:21.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_pt_peopletools:8.58:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_pt_peopletools:8.58:*:*:*:*:*:*:*

CVSS

Base:	5.0 (as of 18-08-2023 - 14:15)
Impact:
Exploitability:

CWE

CWE-835

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
NONE	NONE	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:N/I:N/A:P

refmap via4

fedora	FEDORA-2019-c96a8d12b0 FEDORA-2019-da0eac1eb6
misc	https://lists.apache.org/thread.html/308cc15f1f1dc53e97046fddbac240e6cd16de89a2746cf257be7f5b@%3Cdev.commons.apache.org%3E https://www.oracle.com/security-alerts/cpuapr2020.html https://www.oracle.com/security-alerts/cpujan2021.html https://www.oracle.com/security-alerts/cpujul2020.html https://www.oracle.com/security-alerts/cpuoct2020.html
mlist	[brooklyn-dev] 20200403 [GitHub] [brooklyn-server] nakomis opened a new pull request #1089: Bumps commons-compress version [creadur-commits] 20191022 [creadur-rat] branch master updated: RAT-258: Update to latest commons-compress to fix CVE-2019-12402 [druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities [flink-issues] 20200306 [GitHub] [flink] flinkbot commented on issue #11333: [FLINK-14121] Update commons-compress because of CVE-2019-12402 [flink-issues] 20200306 [GitHub] [flink] flinkbot edited a comment on issue #11333: [FLINK-14121] Update commons-compress because of CVE-2019-12402 [flink-issues] 20200306 [GitHub] [flink] nielsbasjes opened a new pull request #11333: [FLINK-14121] Update commons-compress because of CVE-2019-12402 [flink-issues] 20200310 [GitHub] [flink] GJL commented on issue #11333: [FLINK-14121] Update commons-compress because of CVE-2019-12402 [flink-issues] 20200311 [GitHub] [flink] GJL commented on issue #11333: [FLINK-14121] Update commons-compress because of CVE-2019-12402 [flink-issues] 20200311 [GitHub] [flink] flinkbot edited a comment on issue #11333: [FLINK-14121] Update commons-compress because of CVE-2019-12402 [flink-issues] 20200311 [GitHub] [flink] nielsbasjes commented on issue #11333: [FLINK-14121] Update commons-compress because of CVE-2019-12402 [flink-issues] 20200311 [GitHub] [flink] nielsbasjes edited a comment on issue #11333: [FLINK-14121] Update commons-compress because of CVE-2019-12402 [flink-issues] 20200312 [GitHub] [flink] GJL commented on issue #11333: [FLINK-14121] Update commons-compress because of CVE-2019-12402 [flink-issues] 20200312 [GitHub] [flink] zentol commented on issue #11333: [FLINK-14121] Update commons-compress because of CVE-2019-12402 [flink-issues] 20200313 [GitHub] [flink] GJL closed pull request #11333: [FLINK-14121] Update commons-compress because of CVE-2019-12402 [flink-issues] 20200313 [GitHub] [flink] GJL commented on issue #11333: [FLINK-14121] Update commons-compress because of CVE-2019-12402 [flink-issues] 20200313 [GitHub] [flink] zentol commented on issue #11333: [FLINK-14121] Update commons-compress because of CVE-2019-12402 [lucene-solr-user] 20200320 CVEs (vulnerabilities) that apply to Solr 8.4.1 [lucene-solr-user] 20200320 Re: CVEs (vulnerabilities) that apply to Solr 8.4.1

Last major update

18-08-2023 - 14:15

Published

30-08-2019 - 09:15

Last modified

18-08-2023 - 14:15