CVE-2018-1324

A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package.

References

Affected packages

Git / github.com/apache/commons-compress

Affected ranges

Type

GIT

Repo

https://github.com/apache/commons-compress

Events

Introduced

ff38bf57378c7cae8617b3c8df692a5ffbe7b83f

Last affected

01b06d5ef5c5ac3bd651bedcfec7433231cea371

Database specific

{
    "versions": [
        {
            "introduced": "1.11"
        },
        {
            "last_affected": "1.15"
        }
    ]
}

Affected versions

1.*

1.11-RC1

1.14-RC1

1.15-RC1

COMPRESS-1.*

COMPRESS-1.11-RC2

COMPRESS-1.12-RC1

COMPRESS-1.13-RC1

rel/1.*

rel/1.11

rel/1.12

rel/1.13

rel/1.14

rel/1.15

Database specific

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "7.4.34"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "7.5.0"
            },
            {
                "last_affected": "7.5.24"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "7.6.0"
            },
            {
                "last_affected": "7.6.20"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "8.0.0"
            },
            {
                "last_affected": "8.0.27"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "14.1.1.0.0"
            }
        ]
    }
]

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-1324.json"