7.5
CVSSv3

CVE-2019-12402

Published: 30/08/2019 Updated: 14/05/2022
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Summary

The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache commons compress

fedoraproject fedora 30

fedoraproject fedora 31

oracle flexcube investor servicing 12.3.0

oracle flexcube investor servicing 12.1.0

oracle retail xstore point of service 15.0

oracle flexcube private banking 12.1.0

oracle flexcube private banking 12.0.0

oracle retail integration bus 15.0

oracle webcenter portal 12.2.1.3.0

oracle flexcube investor servicing 12.4.0

oracle peoplesoft enterprise pt peopletools 8.56

oracle retail xstore point of service 16.0

oracle banking payments

oracle banking platform 2.6.2

oracle banking platform 2.7.0

oracle banking platform 2.8.0

oracle banking platform 2.9.0

oracle communications ip service activator 7.3.0

oracle communications ip service activator 7.4.0

oracle communications session route manager

oracle customer management and segmentation foundation 18.0

oracle flexcube investor servicing 14.0.0

oracle flexcube investor servicing 14.1.0

oracle hyperion infrastructure technology 11.1.2.4

oracle jdeveloper 12.2.1.4.0

oracle primavera gateway

oracle primavera gateway 19.12.0

oracle retail integration bus 16.0

oracle retail xstore point of service 17.0

oracle retail xstore point of service 18.0

oracle retail xstore point of service 19.0

oracle webcenter portal 12.2.1.4.0

oracle communications element manager

oracle communications session report manager

oracle essbase 21.2

oracle peoplesoft enterprise pt peopletools 8.57

oracle peoplesoft enterprise pt peopletools 8.58

Vendor Advisories

Debian Bug report logs - #939610 libcommons-compress-java: CVE-2019-12402 Package: src:libcommons-compress-java; Maintainer for src:libcommons-compress-java is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 6 Sep 2019 19:33:02 U ...
Apache Commons Compress is vulnerable to a denial of service which can affect IBM Spectrum Control (formerly IBM Tivoli Storage Productivity Center) ...
Security vulnerabilities have been addressed in IBM Cognos Analytics 11013 FP4 These vulnerabilities have also been addressed in previous versions of IBM Cognos Analytics 111x ...

Github Repositories

PHunter This is a supplementary repository for paper submission "Precise and Efficient Patch Presence Test for Android Applications against Code Obfuscation" It introduces PHunter, which is a precise and efficient patch presence test tool for Android applications against code obfuscation, including identifier renaming, package flattening, control flow randomization,

PHunter PHunter is a precise and efficient patch presence test tool for Android applications against code obfuscation, including identifier renaming, package flattening, control flow randomization, and dead code removal PHunter does not rely on debug information and uses fine-grained anti-obfuscation semantic information for patch status determination compared to other tools

References

CWE-835https://lists.apache.org/thread.html/308cc15f1f1dc53e97046fddbac240e6cd16de89a2746cf257be7f5b@%3Cdev.commons.apache.org%3Ehttps://lists.apache.org/thread.html/54cc4e9fa6b24520135f6fa4724dfb3465bc14703c7dc7e52353a0ea@%3Ccommits.creadur.apache.org%3Ehttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QLJIK2AUOZOWXR3S5XXBUNMOF3RTHTI7/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZB3GB7YXIOUKIOQ27VTIP6KKGJJ3CKL/https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3Ehttps://lists.apache.org/thread.html/r5caf4fcb69d2749225391e61db7216282955204849ba94f83afe011f@%3Cissues.flink.apache.org%3Ehttps://lists.apache.org/thread.html/rcc35ab6be300365de5ff9587e0479d10d7d7c79070921837e3693162@%3Cissues.flink.apache.org%3Ehttps://lists.apache.org/thread.html/re13bd219dd4b651134f6357f12bd07a0344eea7518c577bbdd185265@%3Cissues.flink.apache.org%3Ehttps://lists.apache.org/thread.html/r5103b1c9242c0f812ac96e524344144402cbff9b6e078d1557bc7b1e@%3Cissues.flink.apache.org%3Ehttps://lists.apache.org/thread.html/r05cf37c1e1e662e968cfece1102fcd50fe207181fdbf2c30aadfafd3@%3Cissues.flink.apache.org%3Ehttps://lists.apache.org/thread.html/r590c15cebee9b8e757e2f738127a9a71e48ede647a3044c504e050a4@%3Cissues.flink.apache.org%3Ehttps://lists.apache.org/thread.html/rdebc1830d6c09c11d5a4804ca26769dbd292d17d361c61dea50915f0@%3Cissues.flink.apache.org%3Ehttps://lists.apache.org/thread.html/rd3f99d732baed459b425fb0a9e9e14f7843c9459b12037e4a9d753b5@%3Cissues.flink.apache.org%3Ehttps://lists.apache.org/thread.html/r21d64797914001119d2fc766b88c6da181dc2308d20f14e7a7f46117@%3Cissues.flink.apache.org%3Ehttps://lists.apache.org/thread.html/r233267e24519bacd0f9fb9f61a1287cb9f4bcb6e75d83f34f405c521@%3Cissues.flink.apache.org%3Ehttps://lists.apache.org/thread.html/r25422df9ad22fec56d9eeca3ab8bd6d66365e9f6bfe311b64730edf5@%3Cissues.flink.apache.org%3Ehttps://lists.apache.org/thread.html/r972f82d821b805d04602976a9736c01b6bf218cfe0c3f48b472db488@%3Cissues.flink.apache.org%3Ehttps://lists.apache.org/thread.html/r4363c994c8bca033569a98da9218cc0c62bb695c1e47a98e5084e5a0@%3Cissues.flink.apache.org%3Ehttps://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3Ehttps://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55@%3Csolr-user.lucene.apache.org%3Ehttps://lists.apache.org/thread.html/r7af60fbd8b2350d49d14e53a3ab2801998b9d1af2d6fcac60b060a53@%3Cdev.brooklyn.apache.org%3Ehttps://www.oracle.com/security-alerts/cpuapr2020.htmlhttps://www.oracle.com/security-alerts/cpujul2020.htmlhttps://www.oracle.com/security-alerts/cpuoct2020.htmlhttps://www.oracle.com/security-alerts/cpujan2021.htmlhttps://www.oracle.com/security-alerts/cpuApr2021.htmlhttps://www.oracle.com//security-alerts/cpujul2021.htmlhttps://www.oracle.com/security-alerts/cpuoct2021.htmlhttps://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939610https://nvd.nist.govhttps://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-content-navigator-is-affected-by-a-vulnerability-in-apache-commons-compress-cve-2019-12402/