CVE-2019-12402

The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.

Published: Aug 30, 2019
Updated: Aug 19, 2023
CVE: CVE-2019-12402
GHSA: GHSA-53x6-4x5p-rrvv
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:N/A:P

CWEs:

CWE-835

Affected Software
References

Software	From	Fixed in
apache / commons_compress	1.15	1.18.x
fedoraproject / fedora	30	30.x
fedoraproject / fedora	31	31.x
oracle / flexcube_investor_servicing	12.3.0	12.3.0.x
oracle / flexcube_investor_servicing	12.1.0	12.1.0.x
oracle / retail_xstore_point_of_service	15.0	15.0.x
oracle / flexcube_private_banking	12.1.0	12.1.0.x
oracle / flexcube_private_banking	12.0.0	12.0.0.x
oracle / retail_integration_bus	15.0	15.0.x
oracle / webcenter_portal	12.2.1.3.0	12.2.1.3.0.x
oracle / flexcube_investor_servicing	12.4.0	12.4.0.x
oracle / peoplesoft_enterprise_pt_peopletools	8.56	8.56.x
oracle / retail_xstore_point_of_service	16.0	16.0.x
oracle / flexcube_investor_servicing	14.0.0	14.0.0.x
oracle / retail_integration_bus	16.0	16.0.x
oracle / banking_platform	2.6.2	2.6.2.x
oracle / flexcube_investor_servicing	14.1.0	14.1.0.x
oracle / webcenter_portal	12.2.1.4.0	12.2.1.4.0.x
oracle / retail_xstore_point_of_service	17.0	17.0.x
oracle / retail_xstore_point_of_service	18.0	18.0.x
oracle / retail_xstore_point_of_service	19.0	19.0.x
oracle / communications_ip_service_activator	7.4.0	7.4.0.x
oracle / communications_ip_service_activator	7.3.0	7.3.0.x
oracle / banking_payments	14.1.0	14.4.0.x
oracle / hyperion_infrastructure_technology	11.1.2.4	11.1.2.4.x
oracle / jdeveloper	12.2.1.4.0	12.2.1.4.0.x
oracle / banking_platform	2.7.0	2.7.0.x
oracle / banking_platform	2.9.0	2.9.0.x
oracle / primavera_gateway	19.12.0	19.12.0.x
oracle / primavera_gateway	18.8.0	18.8.8.x
oracle / customer_management_and_segmentation_foundation	18.0	18.0.x
oracle / banking_platform	2.8.0	2.8.0.x
oracle / communications_session_route_manager	8.2.0	8.2.2.x
oracle / communications_session_report_manager	8.2.0	8.2.2.x
oracle / communications_element_manager	8.2.0	8.2.2.x
oracle / peoplesoft_enterprise_pt_peopletools	8.57	8.57.x
oracle / essbase	21.2	21.2.x
oracle / peoplesoft_enterprise_pt_peopletools	8.58	8.58.x
org.apache.commons / commons-compress	1.15	1.19

Vulnerability Database

289,599

CVE-2019-12402