CVE-2018-11771 Low Severity Vulnerability detected by WhiteSource

[mend-bolt-for-github]

CVE-2018-11771 - Low Severity Vulnerability

Vulnerable Library - commons-compress-1.8.1.jar

path: 2/repository/org/apache/commons/commons-compress/1.8.1/commons-compress-1.8.1.jar

Library home page: http://commons.apache.org/proper/commons-compress/

Dependency Hierarchy:

• ❌ commons-compress-1.8.1.jar (Vulnerable Library)

Vulnerability Details

When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package.

Publish Date: 2018-08-16

URL: CVE-2018-11771

CVSS 2 Score Details (3.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1041503

Fix Resolution: The vendor has issued a fix (1.18).

The vendor advisory is available at:

https://commons.apache.org/proper/commons-compress/security-reports.html#Apache_Commons_Compress_Security_Vulnerabilities

---

Step up your Open Source Security Game with WhiteSource here