Commons Compress Security Reports Commons Documentation Team

For information about reporting or asking questions about security problems, please see the security page of the Commons project.

This page lists all security vulnerabilities fixed in released versions of Apache Commons Compress. Each vulnerability is given a security impact rating by the development team - please note that this rating may vary from platform to platform. We also list the versions of Commons Compress the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

Please note that binary patches are never provided. If you need to apply a source code patch, use the building instructions for the Commons Compress version that you are using.

If you need help on building Commons Compress or other help on following the instructions to mitigate the known vulnerabilities listed here, please send your questions to the public Compress Users mailing list.

If you have encountered an unlisted security vulnerability or other unexpected behaviour that has security impact, or if the descriptions here are incomplete, please report them privately to the Apache Security Team. Thank you.

Low: Denial of Service CVE-2018-11771

When reading a specially crafted ZIP archive, the read method of ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package

This was fixed in revision a41ce68.

This was first reported to the Security Team on 14 June 2018 and made public on 16 August 2018.

Affects: 1.7 - 1.17

Low: Denial of Service CVE-2018-1324

A specially crafted ZIP archive can be used to cause an infinite loop inside of Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes. This can be used to mount a denial of service attack against services that use Compress' zip package.

This was fixed in revision 2a2f1dc4.

This was first reported to the project's JIRA on 19 December 2017.

Affects: 1.11 - 1.15

Low: Denial of Service CVE-2012-2098

The bzip2 compressing streams in Apache Commons Compress internally use sorting algorithms with unacceptable worst-case performance on very repetitive inputs. A specially crafted input to Compress' BZip2CompressorOutputStream can be used to make the process spend a very long time while using up all available processing time effectively leading to a denial of service.

This was fixed in revisions 1332540, 1332552, 1333522, 1337444, 1340715, 1340723, 1340757, 1340786, 1340787, 1340790, 1340795 and 1340799.

This was first reported to the Security Team on 12 April 2012 and made public on 23 May 2012.

Affects: 1.0 - 1.4

Please report any errors or omissions to the dev mailing list.