vulnerability
Ubuntu: (CVE-2018-11771): libcommons-compress-java vulnerability
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:N/AC:M/Au:N/C:N/I:N/A:P) | Aug 16, 2018 | Nov 19, 2024 | Oct 30, 2025 |
Severity
4
CVSS
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
Published
Aug 16, 2018
Added
Nov 19, 2024
Modified
Oct 30, 2025
Description
When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package.
Solution
ubuntu-upgrade-libcommons-compress-java
References
- CVE-2018-11771
- https://attackerkb.com/topics/CVE-2018-11771
- CWE-835
- URL-http://www.openwall.com/lists/oss-security/2018/08/16/2
- URL-http://www.securitytracker.com/id/1041503
- URL-https://lists.apache.org/thread.html/b8da751fc0ca949534cdf2744111da6bb0349d2798fac94b0a50f330@%3Cannounce.apache.org%3E
- URL-https://www.cve.org/CVERecord?id=CVE-2018-11771
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.