CVE-2018-1324
Last modified
CVE-2018-1324 is a medium-severity vulnerability rated 5.5/10 on the CVSS scale. A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package.. EPSS estimates a 3.68% chance of exploitation in the next 30 days.
Description
A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package.
Metrics
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Commons Compress | >= 1.11, <= 1.15 |
| Oracle | Mysql Cluster | <= 7.4.34 |
| Oracle | Mysql Cluster | >= 7.5.0, <= 7.5.24 |
| Oracle | Mysql Cluster | >= 7.6.0, <= 7.6.20 |
| Oracle | Mysql Cluster | >= 8.0.0, <= 8.0.27 |
| Oracle | Weblogic Server | 14.1.1.0.0 |
References
- http://www.securityfocus.com/bid/103490Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1040549Third Party Advisory, VDB Entry
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- http://www.securityfocus.com/bid/103490Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1040549Third Party Advisory, VDB Entry
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2018-1324?
How severe is CVE-2018-1324?
How do I fix CVE-2018-1324?
Are you affected by CVE-2018-1324?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST