Parsing of these numbers uses the BigDecimal class from the JDK which has a publicly known algorithmic complexity issue when doing operations on large numbers, causing denial of service (see issue # JDK-6560193 ). No input validation is performed prior to the parsing of header values. The impacted fields are “atime”, “ctime”, “mtime” and “LIBARCHIVE.creationtime”. The format for the PAX extended headers carrying this data consists of two numbers separated by a period, indicating seconds and subsecond precision (for example “1647221103.5998539”). In version 1.22 of Apache Commons Compress, support was added for file modification times with higher precision (issue # COMPRESS-612 ). A third party can create a malformed TAR file by manipulating file modification times headers, which when parsed with Apache Commons Compress, will cause a denial of service issue via CPU consumption. Users are recommended to upgrade to version 1.24.0, which fixes the issue. Improper Input Validation, Uncontrolled Resource Consumption vulnerability in Apache Commons Compress in TAR parsing.This issue affects Apache Commons Compress: from 1.22 before 1.24.0. To be vulnerable to the bypass, the application must use toolkit version allowedClasses)` constructor to restrict the allowed classes for deserialization. `ZipSecurity#isBelowCurrentDirectory` is vulnerable to a partial-path traversal bypass. The Pixee Java Code Security Toolkit is a set of security APIs meant to help secure Java code.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |