CVE-2019-12402
high-risk
Published 2019-08-30
The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.
Do I need to act?
-
0.42% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10
High
NETWORK
/ LOW complexity
Affected Products (20)
Commons Compress
Customer Management And Segmentation Foundation
Affected Vendors
References (60)
and 40 more references
52
/ 100
high-risk
Severity
26/34 · High
Exploitability
2/34 · Minimal
Exposure
24/34 · High