Vulnerability Description
The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Commons Compress | >= 1.15, <= 1.18 |
| Fedoraproject | Fedora | 30 |
| Oracle | Banking Payments | >= 14.1.0, <= 14.4.0 |
| Oracle | Banking Platform | 2.6.2 |
| Oracle | Communications Element Manager | >= 8.2.0, <= 8.2.2 |
| Oracle | Communications Ip Service Activator | 7.3.0 |
| Oracle | Communications Session Report Manager | >= 8.2.0, <= 8.2.2 |
| Oracle | Communications Session Route Manager | >= 8.2.0, <= 8.2.2 |
| Oracle | Customer Management And Segmentation Foundation | 18.0 |
| Oracle | Essbase | 21.2 |
| Oracle | Flexcube Investor Servicing | 12.1.0 |
| Oracle | Flexcube Private Banking | 12.0.0 |
| Oracle | Hyperion Infrastructure Technology | 11.1.2.4 |
| Oracle | Jdeveloper | 12.2.1.4.0 |
| Oracle | Peoplesoft Enterprise Pt Peopletools | 8.56 |
| Oracle | Primavera Gateway | >= 18.8.0, <= 18.8.8 |
| Oracle | Retail Integration Bus | 15.0 |
| Oracle | Retail Xstore Point Of Service | 15.0 |
| Oracle | Webcenter Portal | 12.2.1.3.0 |
Related Weaknesses (CWE)
References
- https://lists.apache.org/thread.html/308cc15f1f1dc53e97046fddbac240e6cd16de89a27
- https://lists.apache.org/thread.html/54cc4e9fa6b24520135f6fa4724dfb3465bc14703c7
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b667
- https://lists.apache.org/thread.html/r05cf37c1e1e662e968cfece1102fcd50fe207181fd
- https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133dee
- https://lists.apache.org/thread.html/r21d64797914001119d2fc766b88c6da181dc2308d2
- https://lists.apache.org/thread.html/r233267e24519bacd0f9fb9f61a1287cb9f4bcb6e75
- https://lists.apache.org/thread.html/r25422df9ad22fec56d9eeca3ab8bd6d66365e9f6bf
- https://lists.apache.org/thread.html/r4363c994c8bca033569a98da9218cc0c62bb695c1e
- https://lists.apache.org/thread.html/r5103b1c9242c0f812ac96e524344144402cbff9b6e
- https://lists.apache.org/thread.html/r590c15cebee9b8e757e2f738127a9a71e48ede647a
- https://lists.apache.org/thread.html/r5caf4fcb69d2749225391e61db7216282955204849
- https://lists.apache.org/thread.html/r7af60fbd8b2350d49d14e53a3ab2801998b9d1af2d
- https://lists.apache.org/thread.html/r972f82d821b805d04602976a9736c01b6bf218cfe0
- https://lists.apache.org/thread.html/rcc35ab6be300365de5ff9587e0479d10d7d7c79070
FAQ
What is CVE-2019-12402?
CVE-2019-12402 is a vulnerability with a CVSS score of 7.5 (HIGH). The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service at...
How severe is CVE-2019-12402?
CVE-2019-12402 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-12402?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Commons Compress, Fedoraproject Fedora, Oracle Banking Payments, Oracle Banking Platform, Oracle Communications Element Manager.