CVE-2019-12402

Name: CVE-2019-12402
Creator: NVD / NIST
Published: 2019-08-30T09:15:17.91+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 16.16%

Last modified Jun 17, 2026

CVE-2019-12402 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.. EPSS estimates a 16.16% chance of exploitation in the next 30 days.

Description

The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

16.16%

96.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-835

Affected Software

Vendor	Product	Versions
Apache	Commons Compress	>= 1.15, <= 1.18
Fedoraproject	Fedora	30
Fedoraproject	Fedora	31
Oracle	Banking Payments	>= 14.1.0, <= 14.4.0
Oracle	Banking Platform	2.6.2
Oracle	Banking Platform	2.7.0
Oracle	Banking Platform	2.8.0
Oracle	Banking Platform	2.9.0
Oracle	Communications Element Manager	>= 8.2.0, <= 8.2.2
Oracle	Communications Ip Service Activator	7.3.0
Oracle	Communications Ip Service Activator	7.4.0
Oracle	Communications Session Report Manager	>= 8.2.0, <= 8.2.2
Oracle	Communications Session Route Manager	>= 8.2.0, <= 8.2.2
Oracle	Customer Management And Segmentation Foundation	18.0
Oracle	Essbase	21.2
Oracle	Flexcube Investor Servicing	12.1.0
Oracle	Flexcube Investor Servicing	12.3.0
Oracle	Flexcube Investor Servicing	12.4.0
Oracle	Flexcube Investor Servicing	14.0.0
Oracle	Flexcube Investor Servicing	14.1.0
Oracle	Flexcube Private Banking	12.0.0
Oracle	Flexcube Private Banking	12.1.0
Oracle	Hyperion Infrastructure Technology	11.1.2.4
Oracle	Jdeveloper	12.2.1.4.0
Oracle	Peoplesoft Enterprise Pt Peopletools	8.56
Oracle	Peoplesoft Enterprise Pt Peopletools	8.57
Oracle	Peoplesoft Enterprise Pt Peopletools	8.58
Oracle	Primavera Gateway	>= 18.8.0, <= 18.8.8
Oracle	Primavera Gateway	19.12.0
Oracle	Retail Integration Bus	15.0
Oracle	Retail Integration Bus	16.0
Oracle	Retail Xstore Point Of Service	15.0
Oracle	Retail Xstore Point Of Service	16.0
Oracle	Retail Xstore Point Of Service	17.0
Oracle	Retail Xstore Point Of Service	18.0
Oracle	Retail Xstore Point Of Service	19.0
Oracle	Webcenter Portal	12.2.1.3.0
Oracle	Webcenter Portal	12.2.1.4.0

References

Timeline

Published: Aug 30, 2019
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2019-12402?

How severe is CVE-2019-12402?

CVE-2019-12402 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 16.16% probability of exploitation in the next 30 days.

How do I fix CVE-2019-12402?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-12402?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST