CVE-2018-1324 — MEDIUM (5.5)

Q: How severe is CVE-2018-1324?

CVE-2018-1324 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-1324?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Commons Compress, Oracle Mysql Cluster, Oracle Weblogic Server.

Vulnerability Description

A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package.

CVSS Score

5.5

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Commons Compress	>= 1.11, <= 1.15
Oracle	Mysql Cluster	<= 7.4.34
Oracle	Weblogic Server	14.1.1.0.0

Related Weaknesses (CWE)

CWE-835

References

http://www.securityfocus.com/bid/103490Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1040549Third Party AdvisoryVDB Entry
https://lists.apache.org/thread.html/1c7b6df6d1c5c8583518a0afa017782924918e4d6ac
https://lists.apache.org/thread.html/b8ef29df0f1d55aa741170748352ae8e425c7b1d286
https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd9
https://lists.apache.org/thread.html/r5532dc8d5456b5151e8c286801e2e5769f5c04118b
https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory
http://www.securityfocus.com/bid/103490Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1040549Third Party AdvisoryVDB Entry
https://lists.apache.org/thread.html/1c7b6df6d1c5c8583518a0afa017782924918e4d6ac
https://lists.apache.org/thread.html/b8ef29df0f1d55aa741170748352ae8e425c7b1d286
https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd9
https://lists.apache.org/thread.html/r5532dc8d5456b5151e8c286801e2e5769f5c04118b
https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory

FAQ

What is CVE-2018-1324?

CVE-2018-1324 is a vulnerability with a CVSS score of 5.5 (MEDIUM). A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1....

How severe is CVE-2018-1324?

CVE-2018-1324 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-1324?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Commons Compress, Oracle Mysql Cluster, Oracle Weblogic Server.