Apache Commons logo Commons Compress

General Information

For information about reporting or asking questions about security problems, please see the security page of the Commons project.

Apache Commons Compress Security Vulnerabilities

This page lists all security vulnerabilities fixed in released versions of Apache Commons Compress. Each vulnerability is given a security impact rating by the development team - please note that this rating may vary from platform to platform. We also list the versions of Commons Compress the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

Please note that binary patches are never provided. If you need to apply a source code patch, use the building instructions for the Commons Compress version that you are using.

If you need help on building Commons Compress or other help on following the instructions to mitigate the known vulnerabilities listed here, please send your questions to the public Compress Users mailing list.

If you have encountered an unlisted security vulnerability or other unexpected behaviour that has security impact, or if the descriptions here are incomplete, please report them privately to the Apache Security Team. Thank you.

Fixed in Apache Commons Compress 1.16

Low: Denial of Service CVE-2018-1324

A specially crafted ZIP archive can be used to cause an infinite loop inside of Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes. This can be used to mount a denial of service attack against services that use Compress' zip package.

This was fixed in revision 2a2f1dc4.

This was first reported to the project's JIRA on 19 December 2017.

Affects: 1.11 - 1.15

Fixed in Apache Commons Compress 1.4.1

Low: Denial of Service CVE-2012-2098

The bzip2 compressing streams in Apache Commons Compress internally use sorting algorithms with unacceptable worst-case performance on very repetitive inputs. A specially crafted input to Compress' BZip2CompressorOutputStream can be used to make the process spend a very long time while using up all available processing time effectively leading to a denial of service.

This was fixed in revisions 1332540, 1332552, 1333522, 1337444, 1340715, 1340723, 1340757, 1340786, 1340787, 1340790, 1340795 and 1340799.

This was first reported to the Security Team on 12 April 2012 and made public on 23 May 2012.

Affects: 1.0 - 1.4

Errors and Ommissions

Please report any errors or omissions to the dev mailing list.