CVE-2018-11771
Last modified
CVE-2018-11771 is a medium-severity vulnerability rated 5.5/10 on the CVSS scale. When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package.. EPSS estimates a 5.25% chance of exploitation in the next 30 days.
Description
When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package.
Metrics
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Commons Compress | >= 1.7.0, <= 1.17.0 |
| Oracle | Weblogic Server | 14.1.1.0.0 |
References
- http://www.securityfocus.com/bid/105139Broken Link
- http://www.securitytracker.com/id/1041503Broken Link
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- http://www.securityfocus.com/bid/105139Broken Link
- http://www.securitytracker.com/id/1041503Broken Link
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2018-11771?
How severe is CVE-2018-11771?
How do I fix CVE-2018-11771?
Are you affected by CVE-2018-11771?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST