VDB
CVE-2018-11771
CVE-2018-11771
PUBLISHED
When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package.
EPSS 1.11% · 78.6th percentile
Risk Scores
EPSS Score
1.11%
78.6th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:18.04:LTS | libcommons-compress-java | 1.18-1~18.04, 0, 1.13-1 |
| Ubuntu:16.04:LTS | libcommons-compress-java | 1.9-1, 1.10-1, 1.10-2 |
Exploit Intelligence
- indicator_tools.yar (github-yara)
- indicator_tools.yar (github-yara)
- indicator_tools.yar (github-yara)
- indicator_tools.yar (github-yara)
- indicator_tools.yar (github-yara)
- indicator_tools.yar (github-yara)
- indicator_tools.yar (github-yara)
- indicator_tools.yar (github-yara)
- indicator_tools.yar (github-yara)
- indicator_tools.yar (github-yara)
…and 46 more exploits
Timeline
- CVE Published
- Oct 2, 2020 PoC Published
- Nov 6, 2020 PoC Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Sep 6, 2021 PoC Published
- Oct 26, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Feb 28, 2022 EPSS Score
- May 2, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2018-11771 third-party-advisory
- http://www.openwall.com/lists/oss-security/2018/08/16/2 third-party-advisory
- http://www.securitytracker.com/id/1041503 third-party-advisory
- https://lists.apache.org/thread.html/b8da751fc0ca949534cdf2744111da6bb0349d2798fac94b0a50f330@%3Cannounce.apache.org%3E third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2018-11771 third-party-advisory