Skip to content

[Aikido] Fix security issue in org.apache.commons:commons-compress via minor version upgrade from 1.15.0 to 1.26.0 in packages#17

Open
aikido-autofix[bot] wants to merge 1 commit into
masterfrom
fix/aikido-security-update-packages-8480974-v2KH
Open

[Aikido] Fix security issue in org.apache.commons:commons-compress via minor version upgrade from 1.15.0 to 1.26.0 in packages#17
aikido-autofix[bot] wants to merge 1 commit into
masterfrom
fix/aikido-security-update-packages-8480974-v2KH

Conversation

@aikido-autofix

Copy link
Copy Markdown

This PR will resolve the following CVEs:

CVE ID Severity Description
CVE-2019-12402
HIGH
The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.
CVE-2021-35515
HIGH
When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
CVE-2021-35516
HIGH
When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
CVE-2021-35517
HIGH
When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.
CVE-2021-36090
HIGH
When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
CVE-2018-1324
MEDIUM
A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip pac...
CVE-2024-25710
MEDIUM
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0.

Users are recommended to upgrade to version 1.26.0 which fixes the issue.
CVE-2018-11771
MEDIUM
When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream,...

@aikido-autofix aikido-autofix Bot added bug Something isn't working documentation Improvements or additions to documentation labels Oct 10, 2025
Comment thread packages/pom.xml

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CVE-2025-48924 in org.apache.commons:commons-lang3 - medium severity
Uncontrolled Recursion vulnerability in Apache Commons Lang.

This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.

The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a
StackOverflowError could cause an application to stop.

Users are recommended to upgrade to version 3.18.0, which fixes the issue.

Remediation Aikido suggests bumping this package to version 3.18.0 to resolve this issue
View details in Aikido Security

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working documentation Improvements or additions to documentation

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants