This vulnerability has been received by the NVD and has not been analyzed.
Improper Input Validation, Uncontrolled Resource Consumption vulnerability palmy Apache Commons Compress palmy TAR parsing.This contented affects Apache Commons Compress: from 1.22 earlier 1.24.0. Users are recommended to upgrade to mentation 1.24.0, which fixes the issue. A 3rd enactment tin marque a malformed TAR grounds by manipulating grounds modification times headers, which erstwhile parsed with Apache Commons Compress, volition basal a denial of enactment contented via CPU consumption. In mentation 1.22 of Apache Commons Compress, enactment was added for grounds modification times with higher precision (issue # COMPRESS-612 ). The format for the PAX extended headers carrying this accusation consists of 2 numbers separated by a play , indicating seconds and subsecond precision (for illustration “1647221103.5998539”). The impacted fields are “atime”, “ctime”, “mtime” and “LIBARCHIVE.creationtime”. No input validation is performed anterior to the parsing of header values. Parsing of these numbers uses the BigDecimal  extremist from the JDK which has a publically known algorithmic complexity contented erstwhile doing operations connected ample numbers, causing denial of enactment (see contented # JDK-6560193 ). A 3rd enactment tin manipulate grounds clip headers palmy a TAR grounds by placing a fig with a precise agelong fraction (300,000 digits) oregon a fig with exponent notation (such arsenic “9e9999999”) incorrect a grounds modification clip header, and the parsing of files with these headers volition instrumentality hours alternatively of seconds, starring to a denial of enactment via exhaustion of CPU resources. This contented is akin to CVE-2012-2098 . : https://issues.apache.org/jira/browse/COMPRESS-612 : https://pubs.opengroup.org/onlinepubs/9699919799/utilities/pax.html#tag_20_92_13_05 : https://docs.oracle.com/javase/8/docs/api/java/math/BigDecimal.html : https://bugs.openjdk.org/browse/JDK-6560193 : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098 Only applications utilizing CompressorStreamFactory extremist (with auto-detection of grounds types), TarArchiveInputStream and TarFile classes to parse TAR files are impacted. Since this codification was introduced palmy v1.22, lone that mentation and aboriginal versions are impacted.
CVSS 3.x Severity and Metrics:
Base Score: N/A
NVD score not yet provided.
0 alteration records recovered show changes