CVE-2024-25710 - OpenCVE

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0. Users are recommended to upgrade to version 1.26.0 which fixes the issue.

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Apache	Commons Compress

Configuration 1 [-]

cpe:2.3:a:apache:commons_compress:*:*:*:*:*:*:*:*

References

Link	Resource
http://www.openwall.com/lists/oss-security/2024/02/19/1	Mailing List Third Party Advisory
https://lists.apache.org/thread/cz8qkcwphy4cx8gltn932ln51cbtq6kf	Vendor Advisory
https://security.netapp.com/advisory/ntap-20240307-0010/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: apache

Published: 2024-02-19T08:33:40.627Z

Updated: 2024-07-05T17:21:44.416Z

Reserved: 2024-02-10T23:44:45.963Z

Link: CVE-2024-25710

JSON object: View

NVD Information

Status : Modified

Published: 2024-02-19T09:15:37.943

Modified: 2024-03-07T17:15:12.940

Link: CVE-2024-25710

JSON object: View

Redhat Information

No data.

CWE

CWE-835

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-25710", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-02-10T23:44:45.963Z", "datePublished": "2024-02-19T08:33:40.627Z", "dateUpdated": "2024-07-05T17:21:44.416Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2/", "defaultStatus": "unaffected", "packageName": "org.apache.commons:commons-compress", "product": "Apache Commons Compress", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "1.25.0", "status": "affected", "version": "1.3", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Yakov Shafranovich, Amazon Web Services"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.<p>This issue affects Apache Commons Compress: from 1.3 through 1.25.0.</p><p>Users are recommended to upgrade to version 1.26.0 which fixes the issue.</p>"}], "value": "Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0.\n\nUsers are recommended to upgrade to version 1.26.0 which fixes the issue.\n\n"}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-835", "description": "CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-02-19T08:33:40.627Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/cz8qkcwphy4cx8gltn932ln51cbtq6kf"}, {"url": "http://www.openwall.com/lists/oss-security/2024/02/19/1"}, {"url": "https://security.netapp.com/advisory/ntap-20240307-0010/"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP file", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-25710", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-20T16:19:19.175447Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T17:21:44.416Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:commons_compress:*:*:*:*:*:*:*:*", "matchCriteriaId": "3EF50821-2FCC-46EF-A55F-92BF58251310", "versionEndExcluding": "1.26.0", "versionStartIncluding": "1.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0.\n\nUsers are recommended to upgrade to version 1.26.0 which fixes the issue.\n\n"}, {"lang": "es", "value": "Bucle con vulnerabilidad de condici\u00f3n de salida inalcanzable (\"bucle infinito\") en Apache Commons Compress. Este problema afecta a Apache Commons Compress: desde 1.3 hasta 1.25.0. Se recomienda a los usuarios actualizar a la versi\u00f3n 1.26.0, que soluciona el problema."}], "id": "CVE-2024-25710", "lastModified": "2024-03-07T17:15:12.940", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.4, "impactScore": 6.0, "source": "security@apache.org", "type": "Secondary"}]}, "published": "2024-02-19T09:15:37.943", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2024/02/19/1"}, {"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://lists.apache.org/thread/cz8qkcwphy4cx8gltn932ln51cbtq6kf"}, {"source": "security@apache.org", "url": "https://security.netapp.com/advisory/ntap-20240307-0010/"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-835"}], "source": "security@apache.org", "type": "Primary"}]}