4.3
CVSSv2

CVE-2018-11771

Published: 16/08/2018 Updated: 06/10/2021
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 5.5 | Impact Score: 3.6 | Exploitability Score: 1.8
VMScore: 383
Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P

Vulnerability Summary

When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache commons compress

Vendor Advisories

Debian Bug report logs - #906301 libcommons-compress-java: CVE-2018-11771: denial of service vulnerability Package: src:libcommons-compress-java; Maintainer for src:libcommons-compress-java is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> ...
When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 17 to 117's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached When combined with a javaioInputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service at ...
There is a vulnerability in Apache Commons Compress used by IBM® Cloud App Management V2018 IBM® Cloud App Management has addressed the applicable CVE in a later version ...
Synopsis Important: Red Hat Fuse 760 security update Type/Severity Security Advisory: Important Topic A minor version update (from 75 to 76) is now available for Red Hat Fuse The purpose of this text-only errata is to inform you about the security issues fixed in this releaseRed Hat Product Security h ...
Security vulnerabilities have been addressed in IBM Cognos Analytics 11013 FP4 These vulnerabilities have also been addressed in previous versions of IBM Cognos Analytics 111x ...

Github Repositories

JQF + Zest: Semantic Fuzzing for Java JQF is a feedback-directed fuzz testing platform for Java (think: AFL/LibFuzzer but for JVM bytecode) JQF uses the abstraction of property-based testing, which makes it nice to write fuzz drivers as parameteric JUnit test methods JQF is built on top of junit-quickcheck JQF enables running junit-quickcheck style parameterized unit tests w

JQF + Zest: Semantic Fuzzing for Java JQF is a feedback-directed fuzz testing platform for Java (think: AFL/LibFuzzer but for JVM bytecode) JQF uses the abstraction of property-based testing, which makes it nice to write fuzz drivers as parameteric JUnit test methods JQF is built on top of junit-quickcheck JQF enables running junit-quickcheck style parameterized unit tests

JQF + Zest: Semantic Fuzzing for Java JQF is a feedback-directed fuzz testing platform for Java (think: AFL/LibFuzzer but for JVM bytecode) JQF uses the abstraction of property-based testing, which makes it nice to write fuzz drivers as parameteric JUnit test methods JQF is built on top of junit-quickcheck JQF enables running junit-quickcheck style parameterized unit tests

JQF + Zest: Coverage-guided semantic fuzzing for Java.

JQF + Zest: Semantic Fuzzing for Java JQF is a feedback-directed fuzz testing platform for Java, which uses the abstraction of property-based testing JQF is built on top of junit-quickcheck: a tool for generating random arguments for parametric Junit test methods JQF enables better input generation using coverage-guided fuzzing algorithms such as Zest Zest is an algorithm th

JQF + Zest: Semantic Fuzzing for Java JQF is a feedback-directed fuzz testing platform for Java (think: AFL/LibFuzzer but for JVM bytecode) JQF uses the abstraction of property-based testing, which makes it nice to write fuzz drivers as parameteric JUnit test methods JQF is built on top of junit-quickcheck JQF enables running junit-quickcheck style parameterized unit tests

References

CWE-835https://lists.apache.org/thread.html/b8da751fc0ca949534cdf2744111da6bb0349d2798fac94b0a50f330@%3Cannounce.apache.org%3Ehttp://www.securitytracker.com/id/1041503http://www.securityfocus.com/bid/105139https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3Ehttps://lists.apache.org/thread.html/b8ef29df0f1d55aa741170748352ae8e425c7b1d286b2f257711a2dd@%3Cdev.creadur.apache.org%3Ehttps://lists.apache.org/thread.html/b907e70bc422905d7962fd18f863f746bf7b4e7ed9da25c148580c61@%3Cnotifications.commons.apache.org%3Ehttps://lists.apache.org/thread.html/f28052d04cb8dbaae39bfd3dc8438e58c2a8be306a3f381f4728d7c1@%3Ccommits.commons.apache.org%3Ehttps://lists.apache.org/thread.html/f9cdd32af7d73e943452167d15801db39e8130409ebb9efb243b3f41@%3Ccommits.tinkerpop.apache.org%3Ehttps://lists.apache.org/thread.html/e3eae9e6fc021c4c22dda59a335d21c12eecab480b48115a2f098ef6@%3Ccommits.tinkerpop.apache.org%3Ehttps://lists.apache.org/thread.html/35f60d6d0407c13c39411038ba1aca71d92595ed7041beff4d07f2ee@%3Ccommits.tinkerpop.apache.org%3Ehttps://lists.apache.org/thread.html/6c79965066c30d4e330e04d911d3761db41b82c89ae38d9a6b37a6f1@%3Cdev.tinkerpop.apache.org%3Ehttps://lists.apache.org/thread.html/714c6ac1b1b50f8557e7342903ef45f1538a7bc60a0b47d6e48c273d@%3Ccommits.tinkerpop.apache.org%3Ehttps://lists.apache.org/thread.html/eeecc1669242b28a3777ae13c68b376b0148d589d3d8170340d61120@%3Cdev.tinkerpop.apache.org%3Ehttps://lists.apache.org/thread.html/c7954dc1e8fafd7ca1449f078953b419ebf8936e087f235f3bd024be@%3Ccommits.tinkerpop.apache.org%3Ehttps://lists.apache.org/thread.html/0adb631517766e793e18a59723e2df08ced41eb9a57478f14781c9f7@%3Cdev.tinkerpop.apache.org%3Ehttps://lists.apache.org/thread.html/3565494c263dfeb4dcb2a71cb24d09a1ca285cd6ac74edc025a3af8a@%3Ccommits.tinkerpop.apache.org%3Ehttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906301https://tools.cisco.com/security/center/viewAlert.x?alertId=58754https://nvd.nist.govhttps://github.com/rohanpadhye/jqf