CVE-2018-1324
moderate-risk
Published 2018-03-16
A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package.
Do I need to act?
~
1.7% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.5/10
Medium
LOCAL
/ LOW complexity
Affected Products (3)
References (14)
Third Party Advisory
http://www.securityfocus.com/bid/103490
Third Party Advisory
http://www.securitytracker.com/id/1040549
Third Party Advisory
http://www.securityfocus.com/bid/103490
Third Party Advisory
http://www.securitytracker.com/id/1040549
31
/ 100
moderate-risk
Severity
18/34 · Moderate
Exploitability
4/34 · Minimal
Exposure
9/34 · Low