Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Local
0

CVE-2018-11771

Disclosure Date: August 16, 2018
CVE-2018-11771 CVSS v3 Base Score: 5.5
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17’s ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress’ zip package.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
5.5 Medium
Impact Score:
3.6
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Unchanged
Confidentiality (C):
None
Integrity (I):
None
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Apache Commons Compress 1.7 to 1.17
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • apache,
  • oracle

Products

  • commons compress,
  • weblogic server 14.1.1.0.0

References

Canonical
CVE-2018-11771 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11771)
BID-105139 (http://www.securityfocus.com/bid/105139)
Advisory
[announce] 20180816 [CVE-2018-11771] Apache Commons Compress 1.7 to 1.17 denial of service vulnerability (https://lists.apache.org/thread.html/b8da751fc0ca949534cdf2744111da6bb0349d2798fac94b0a50f330@%3Cannounce.apache.org%3E)
SECTRACK-1041503 (http://www.securitytracker.com/id/1041503)
[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1 (https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E)
[creadur-dev] 20190530 [Discuss] RAT-244 - update to language level 1.7 due to CVE issues in RAT (https://lists.apache.org/thread.html/b8ef29df0f1d55aa741170748352ae8e425c7b1d286b2f257711a2dd@%3Cdev.creadur.apache.org%3E)
[commons-notifications] 20190827 svn commit: r1049290 - in /websites/production/commons/content/proper/commons-compress: changes-report.html security-reports.html (https://lists.apache.org/thread.html/b907e70bc422905d7962fd18f863f746bf7b4e7ed9da25c148580c61@%3Cnotifications.commons.apache.org%3E)
[commons-commits] 20190827 [commons-compress] branch master updated: record CVE-2019-12402 (https://lists.apache.org/thread.html/f28052d04cb8dbaae39bfd3dc8438e58c2a8be306a3f381f4728d7c1@%3Ccommits.commons.apache.org%3E)
[tinkerpop-commits] 20190923 [GitHub] [tinkerpop] justinchuch opened a new pull request #1199: Upgrade commons-compress to version 1.19 due to CVE-2018-11771 (https://lists.apache.org/thread.html/f9cdd32af7d73e943452167d15801db39e8130409ebb9efb243b3f41@%3Ccommits.tinkerpop.apache.org%3E)
[tinkerpop-commits] 20190923 [GitHub] [tinkerpop] spmallette commented on issue #1199: Upgrade commons-compress to version 1.19 due to CVE-2018-11771 (https://lists.apache.org/thread.html/e3eae9e6fc021c4c22dda59a335d21c12eecab480b48115a2f098ef6@%3Ccommits.tinkerpop.apache.org%3E)
[tinkerpop-commits] 20190923 [GitHub] [tinkerpop] robertdale commented on issue #1199: Upgrade commons-compress to version 1.19 due to CVE-2018-11771 (https://lists.apache.org/thread.html/35f60d6d0407c13c39411038ba1aca71d92595ed7041beff4d07f2ee@%3Ccommits.tinkerpop.apache.org%3E)
[tinkerpop-dev] 20190924 [GitHub] [tinkerpop] spmallette commented on issue #1199: Upgrade commons-compress to version 1.19 due to CVE-2018-11771 (https://lists.apache.org/thread.html/6c79965066c30d4e330e04d911d3761db41b82c89ae38d9a6b37a6f1@%3Cdev.tinkerpop.apache.org%3E)
[tinkerpop-commits] 20190924 [GitHub] [tinkerpop] spmallette commented on issue #1199: Upgrade commons-compress to version 1.19 due to CVE-2018-11771 (https://lists.apache.org/thread.html/714c6ac1b1b50f8557e7342903ef45f1538a7bc60a0b47d6e48c273d@%3Ccommits.tinkerpop.apache.org%3E)
[tinkerpop-commits] 20190924 [GitHub] [tinkerpop] justinchuch commented on issue #1199: Upgrade commons-compress to version 1.19 due to CVE-2018-11771 (https://lists.apache.org/thread.html/c7954dc1e8fafd7ca1449f078953b419ebf8936e087f235f3bd024be@%3Ccommits.tinkerpop.apache.org%3E)
[tinkerpop-dev] 20190924 [GitHub] [tinkerpop] justinchuch commented on issue #1199: Upgrade commons-compress to version 1.19 due to CVE-2018-11771 (https://lists.apache.org/thread.html/eeecc1669242b28a3777ae13c68b376b0148d589d3d8170340d61120@%3Cdev.tinkerpop.apache.org%3E)
[tinkerpop-dev] 20190930 [GitHub] [tinkerpop] spmallette closed pull request #1199: Upgrade commons-compress to version 1.19 due to CVE-2018-11771 (https://lists.apache.org/thread.html/0adb631517766e793e18a59723e2df08ced41eb9a57478f14781c9f7@%3Cdev.tinkerpop.apache.org%3E)
[tinkerpop-commits] 20190930 [GitHub] [tinkerpop] spmallette merged pull request #1199: Upgrade commons-compress to version 1.19 due to CVE-2018-11771 (https://lists.apache.org/thread.html/3565494c263dfeb4dcb2a71cb24d09a1ca285cd6ac74edc025a3af8a@%3Ccommits.tinkerpop.apache.org%3E)
Miscellaneous
https://www.oracle.com/security-alerts/cpujan2022.html

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis