CVE-2024-25710 (Medium) detected in commons-compress-1.21.jar, commons-compress-1.12.jar #1048

mend-bolt-for-github · 2024-02-29T15:14:14Z

CVE-2024-25710 - Medium Severity Vulnerability

Vulnerable Libraries - commons-compress-1.21.jar, commons-compress-1.12.jar

commons-compress-1.21.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Library home page: https://commons.apache.org/proper/commons-compress/

Path to dependency file: /packages/playwright-core/src/server/android/driver/app/build.gradle

Path to vulnerable library: /dle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.21/4ec95b60d4e86b5c95a0e919cb172a0af98011ef/commons-compress-1.21.jar

Dependency Hierarchy:

❌ commons-compress-1.21.jar (Vulnerable Library)

commons-compress-1.12.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio, jar, tar, zip, dump, 7z, arj.

Path to dependency file: /packages/playwright-core/src/server/android/driver/app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.12/84caa68576e345eb5e7ae61a0e5a9229eb100d7b/commons-compress-1.12.jar

Dependency Hierarchy:

lint-gradle-27.1.0.jar (Root Library)
- sdk-common-27.1.0.jar
  - sdklib-27.1.0.jar
    - ❌ commons-compress-1.12.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0.

Users are recommended to upgrade to version 1.26.0 which fixes the issue.

Publish Date: 2024-02-19

URL: CVE-2024-25710

CVSS 3 Score Details (5.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-25710

Release Date: 2024-02-19

Fix Resolution: 1.26.0

Step up your Open Source Security Game with Mend here

mend-bolt-for-github bot added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label Feb 29, 2024

mend-bolt-for-github bot changed the title ~~CVE-2024-25710 (High) detected in commons-compress-1.21.jar, commons-compress-1.12.jar~~ CVE-2024-25710 (Medium) detected in commons-compress-1.21.jar, commons-compress-1.12.jar Mar 14, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2024-25710 (Medium) detected in commons-compress-1.21.jar, commons-compress-1.12.jar #1048

CVE-2024-25710 (Medium) detected in commons-compress-1.21.jar, commons-compress-1.12.jar #1048

mend-bolt-for-github bot commented Feb 29, 2024 •

edited

CVE-2024-25710 (Medium) detected in commons-compress-1.21.jar, commons-compress-1.12.jar #1048

CVE-2024-25710 (Medium) detected in commons-compress-1.21.jar, commons-compress-1.12.jar #1048

Comments

mend-bolt-for-github bot commented Feb 29, 2024 • edited

CVE-2024-25710 - Medium Severity Vulnerability

mend-bolt-for-github bot commented Feb 29, 2024 •

edited