CVE-2019-12402

Published: Aug 30, 2019Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.

Affected (38)

Products: Apache: Commons Compress · Fedoraproject: Fedora · Oracle: Banking Payments, Banking Platform, Communications Element Manager, Communications Ip Service Activator, Communications Session Report Manager, Communications Session Route Manager, Customer Management And Segmentation Foundation, Essbase, Flexcube Investor Servicing, Flexcube Private Banking, Hyperion Infrastructure Technology, Jdeveloper, Peoplesoft Enterprise Pt Peopletools, Primavera Gateway, Retail Integration Bus, Retail Xstore Point Of Service, Webcenter Portal

1 product

1 product

17 products

Communications Element Manager

Communications Ip Service Activator

Communications Session Report Manager

Communications Session Route Manager

Customer Management And Segmentation Foundation

Essbase

Flexcube Investor Servicing

Flexcube Private Banking

Hyperion Infrastructure Technology

Jdeveloper

Peoplesoft Enterprise Pt Peopletools

Primavera Gateway

Retail Integration Bus

Retail Xstore Point Of Service

Webcenter Portal

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Apache Commons Compress	From 1.15 to 1.18

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 30
Fedoraproject Fedora	Version 31

Configuration C

35 vulnerable

Vulnerable Software	Affected Versions
Oracle Banking Payments	From 14.1.0 to 14.4.0
Oracle Banking Platform	Version 2.6.2
Oracle Banking Platform	Version 2.7.0
Oracle Banking Platform	Version 2.8.0
Oracle Banking Platform	Version 2.9.0
Oracle Communications Element Manager	From 8.2.0 to 8.2.2
Oracle Communications Ip Service Activator	Version 7.3.0
Oracle Communications Ip Service Activator	Version 7.4.0
Oracle Communications Session Report Manager	From 8.2.0 to 8.2.2
Oracle Communications Session Route Manager	From 8.2.0 to 8.2.2
Oracle Customer Management And Segmentation Foundation	Version 18.0
Oracle Essbase	Version 21.2
Oracle Flexcube Investor Servicing	Version 12.1.0
Oracle Flexcube Investor Servicing	Version 12.3.0
Oracle Flexcube Investor Servicing	Version 12.4.0
Oracle Flexcube Investor Servicing	Version 14.0.0
Oracle Flexcube Investor Servicing	Version 14.1.0
Oracle Flexcube Private Banking	Version 12.0.0
Oracle Flexcube Private Banking	Version 12.1.0
Oracle Hyperion Infrastructure Technology	Version 11.1.2.4
Oracle Jdeveloper	Version 12.2.1.4.0
Oracle Peoplesoft Enterprise Pt Peopletools	Version 8.56
Oracle Peoplesoft Enterprise Pt Peopletools	Version 8.57
Oracle Peoplesoft Enterprise Pt Peopletools	Version 8.58
Oracle Primavera Gateway	From 18.8.0 to 18.8.8
Oracle Primavera Gateway	Version 19.12.0
Oracle Retail Integration Bus	Version 15.0
Oracle Retail Integration Bus	Version 16.0
Oracle Retail Xstore Point Of Service	Version 15.0
Oracle Retail Xstore Point Of Service	Version 16.0
Oracle Retail Xstore Point Of Service	Version 17.0
Oracle Retail Xstore Point Of Service	Version 18.0
Oracle Retail Xstore Point Of Service	Version 19.0
Oracle Webcenter Portal	Version 12.2.1.3.0
Oracle Webcenter Portal	Version 12.2.1.4.0

Related CWEs

CWE-835

Loop with Unreachable Exit Condition ('Infinite Loop')

The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

References (60)

https://lists.apache.org/thread.html/308cc15f1f1dc53e97046fddbac240e6cd16de89a2746cf257be7f5b%40%3Cdev.commons.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/54cc4e9fa6b24520135f6fa4724dfb3465bc14703c7dc7e52353a0ea%40%3Ccommits.creadur.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r05cf37c1e1e662e968cfece1102fcd50fe207181fdbf2c30aadfafd3%40%3Cissues.flink.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r21d64797914001119d2fc766b88c6da181dc2308d20f14e7a7f46117%40%3Cissues.flink.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r233267e24519bacd0f9fb9f61a1287cb9f4bcb6e75d83f34f405c521%40%3Cissues.flink.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r25422df9ad22fec56d9eeca3ab8bd6d66365e9f6bfe311b64730edf5%40%3Cissues.flink.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r4363c994c8bca033569a98da9218cc0c62bb695c1e47a98e5084e5a0%40%3Cissues.flink.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r5103b1c9242c0f812ac96e524344144402cbff9b6e078d1557bc7b1e%40%3Cissues.flink.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r590c15cebee9b8e757e2f738127a9a71e48ede647a3044c504e050a4%40%3Cissues.flink.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r5caf4fcb69d2749225391e61db7216282955204849ba94f83afe011f%40%3Cissues.flink.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r7af60fbd8b2350d49d14e53a3ab2801998b9d1af2d6fcac60b060a53%40%3Cdev.brooklyn.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r972f82d821b805d04602976a9736c01b6bf218cfe0c3f48b472db488%40%3Cissues.flink.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/rcc35ab6be300365de5ff9587e0479d10d7d7c79070921837e3693162%40%3Cissues.flink.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/rd3f99d732baed459b425fb0a9e9e14f7843c9459b12037e4a9d753b5%40%3Cissues.flink.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/rdebc1830d6c09c11d5a4804ca26769dbd292d17d361c61dea50915f0%40%3Cissues.flink.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/re13bd219dd4b651134f6357f12bd07a0344eea7518c577bbdd185265%40%3Cissues.flink.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55%40%3Csolr-user.lucene.apache.org%3E

Source: security@apache.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLJIK2AUOZOWXR3S5XXBUNMOF3RTHTI7/

Source: security@apache.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZB3GB7YXIOUKIOQ27VTIP6KKGJJ3CKL/

Source: security@apache.org

https://security.netapp.com/advisory/ntap-20230818-0001/

Source: security@apache.org

https://www.oracle.com//security-alerts/cpujul2021.html

Source: security@apache.org

Third Party Advisory

https://www.oracle.com/security-alerts/cpuApr2021.html

Source: security@apache.org

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2020.html

Source: security@apache.org

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.html

Source: security@apache.org

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2021.html

Source: security@apache.org

Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2020.html

Source: security@apache.org

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2020.html

Source: security@apache.org

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

Source: security@apache.org

Not ApplicableThird Party Advisory

https://lists.apache.org/thread.html/308cc15f1f1dc53e97046fddbac240e6cd16de89a2746cf257be7f5b%40%3Cdev.commons.apache.org%3E