{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-26308", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-02-17T22:08:44.423Z", "datePublished": "2024-02-19T08:31:50.192Z", "dateUpdated": "2024-08-02T00:07:19.215Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2/", "defaultStatus": "unaffected", "packageName": "org.apache.commons:commons-compress", "product": "Apache Commons Compress", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "1.26.0", "status": "affected", "version": "1.21", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Yakov Shafranovich, Amazon Web Services"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.<p>This issue affects Apache Commons Compress: from 1.21 before 1.26.</p><p>Users are recommended to upgrade to version 1.26, which fixes the issue.</p>"}], "value": "Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26.\n\nUsers are recommended to upgrade to version 1.26, which fixes the issue.\n\n"}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-02-19T08:31:50.192Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/ch5yo2d21p7vlqrhll9b17otbyq4npfg"}, {"url": "http://www.openwall.com/lists/oss-security/2024/02/19/2"}, {"url": "https://security.netapp.com/advisory/ntap-20240307-0009/"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26308", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-22T17:49:36.910764Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T17:21:56.918Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:07:19.215Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/ch5yo2d21p7vlqrhll9b17otbyq4npfg"}, {"url": "http://www.openwall.com/lists/oss-security/2024/02/19/2", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240307-0009/", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26308", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-22T17:49:36.910764Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T15:20:40.685Z"}}], "cna": {"title": "Apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "Yakov Shafranovich, Amazon Web Services"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Commons Compress", "versions": [{"status": "affected", "version": "1.21", "lessThan": "1.26.0", "versionType": "semver"}], "packageName": "org.apache.commons:commons-compress", "collectionURL": "https://repo.maven.apache.org/maven2/", "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/ch5yo2d21p7vlqrhll9b17otbyq4npfg", "tags": ["vendor-advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/02/19/2"}, {"url": "https://security.netapp.com/advisory/ntap-20240307-0009/"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26.\n\nUsers are recommended to upgrade to version 1.26, which fixes the issue.\n\n", "supportingMedia": [{"type": "text/html", "value": "Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.<p>This issue affects Apache Commons Compress: from 1.21 before 1.26.</p><p>Users are recommended to upgrade to version 1.26, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-02-19T08:31:50.192Z"}}}, "cveMetadata": {"cveId": "CVE-2024-26308", "state": "PUBLISHED", "dateUpdated": "2024-07-05T17:21:56.918Z", "dateReserved": "2024-02-17T22:08:44.423Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2024-02-19T08:31:50.192Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:commons_compress:*:*:*:*:*:*:*:*", "matchCriteriaId": "D8C5F6D4-AAD9-4029-B819-01DB81C18DA1", "versionEndExcluding": "1.26.0", "versionStartIncluding": "1.21", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26.\n\nUsers are recommended to upgrade to version 1.26, which fixes the issue.\n\n"}, {"lang": "es", "value": "Asignaci\u00f3n de recursos sin l\u00edmites o vulnerabilidad de limitaci\u00f3n en Apache Commons Compress. Este problema afecta a Apache Commons Compress: desde 1.21 antes de 1.26. Se recomienda a los usuarios actualizar a la versi\u00f3n 1.26, que soluciona el problema."}], "id": "CVE-2024-26308", "lastModified": "2024-03-21T19:54:03.230", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-19T09:15:38.277", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2024/02/19/2"}, {"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://lists.apache.org/thread/ch5yo2d21p7vlqrhll9b17otbyq4npfg"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20240307-0009/"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security@apache.org", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:1706", "cpe": "cpe:/a:redhat:camel_quarkus:3", "package": "commons-compress", "product_name": "CEQ 3.2", "release_date": "2024-04-09T00:00:00Z"}, {"advisory": "RHSA-2024:1923", "cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package": "mtr/mtr-operator-bundle:1.2-18", "product_name": "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date": "2024-04-18T00:00:00Z"}, {"advisory": "RHSA-2024:1923", "cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package": "mtr/mtr-rhel8-operator:1.2-11", "product_name": "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date": "2024-04-18T00:00:00Z"}, {"advisory": "RHSA-2024:1923", "cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package": "mtr/mtr-web-container-rhel8:1.2-12", "product_name": "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date": "2024-04-18T00:00:00Z"}, {"advisory": "RHSA-2024:1923", "cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package": "mtr/mtr-web-executor-container-rhel8:1.2-10", "product_name": "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date": "2024-04-18T00:00:00Z"}, {"advisory": "RHSA-2024:3989", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package": "mta/mta-windup-addon-rhel9:6.2.3-2", "product_name": "MTA-6.2-RHEL-9", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:1662", "cpe": "cpe:/a:redhat:quarkus:3.2::el8", "package": "org.apache.commons/commons-compress:1.26.0.redhat-00001", "product_name": "Red Hat build of Quarkus 3.2.11.Final", "release_date": "2024-04-03T00:00:00Z"}, {"advisory": "RHSA-2024:1509", "cpe": "cpe:/a:redhat:jboss_data_grid:8", "package": "commons-compress", "product_name": "Red Hat Data Grid", "release_date": "2024-03-26T00:00:00Z"}, {"advisory": "RHSA-2024:2833", "cpe": "cpe:/a:redhat:service_registry:2.5", "package": "commons-compress", "product_name": "RHINT Service Registry 2.5.11 GA", "release_date": "2024-05-14T00:00:00Z"}, {"advisory": "RHSA-2024:4057", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/logic-data-index-ephemeral-rhel8:1.33.0-5", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-24T00:00:00Z"}, {"advisory": "RHSA-2024:4057", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/logic-data-index-postgresql-rhel8:1.33.0-5", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-24T00:00:00Z"}, {"advisory": "RHSA-2024:4057", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/logic-jobs-service-ephemeral-rhel8:1.33.0-5", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-24T00:00:00Z"}, {"advisory": "RHSA-2024:4057", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/logic-jobs-service-postgresql-rhel8:1.33.0-5", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-24T00:00:00Z"}, {"advisory": "RHSA-2024:4057", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/logic-kn-workflow-cli-artifacts-rhel8:1.33.0-5", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-24T00:00:00Z"}, {"advisory": "RHSA-2024:4057", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/logic-operator-bundle:1.33.0-5", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-24T00:00:00Z"}, {"advisory": "RHSA-2024:4057", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/logic-rhel8-operator:1.33.0-3", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-24T00:00:00Z"}, {"advisory": "RHSA-2024:4057", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/logic-swf-builder-rhel8:1.33.0-5", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-24T00:00:00Z"}, {"advisory": "RHSA-2024:4057", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/logic-swf-devmode-rhel8:1.33.0-5", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-24T00:00:00Z"}], "bugzilla": {"description": "commons-compress: OutOfMemoryError unpacking broken Pack200 file", "id": "2264989", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2264989"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-770", "details": ["Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26.\nUsers are recommended to upgrade to version 1.26, which fixes the issue.", "An allocation of resources without limits or throttling vulnerability was found in Apache Commons Compress. This issue can lead to an out-of-memory error."], "mitigation": {"lang": "en:us", "value": "No mitigation is currently available for this vulnerability."}, "name": "CVE-2024-26308", "package_state": [{"cpe": "cpe:/a:redhat:amq_clients:2023", "fix_state": "Not affected", "package_name": "commons-compress", "product_name": "AMQ Clients"}, {"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Not affected", "package_name": "commons-compress", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:cryostat:2", "fix_state": "Affected", "package_name": "commons-compress", "product_name": "Cryostat 2"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "org.elasticsearch-elasticsearch", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Will not fix", "package_name": "commons-compress", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Affected", "package_name": "commons-compress", "product_name": "Red Hat build of Apache Camel for Spring Boot"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Not affected", "package_name": "commons-compress", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Not affected", "package_name": "commons-compress", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:quarkus:2", "fix_state": "Affected", "package_name": "org.apache.commons/commons-compress", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "commons-compress", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:camel_quarkus:2", "fix_state": "Affected", "package_name": "commons-compress", "product_name": "Red Hat Integration Camel Quarkus"}, {"cpe": "cpe:/a:redhat:debezium:2", "fix_state": "Not affected", "package_name": "commons-compress", "product_name": "Red Hat Integration Change Data Capture"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Affected", "package_name": "commons-compress", "product_name": "Red Hat JBoss A-MQ 7"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "commons-compress", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "commons-compress", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "commons-compress", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "commons-compress", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Affected", "package_name": "commons-compress", "product_name": "Red Hat JBoss Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "commons-compress", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5", "fix_state": "Not affected", "package_name": "commons-compress", "product_name": "Red Hat JBoss Web Server 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6", "fix_state": "Not affected", "package_name": "commons-compress", "product_name": "Red Hat JBoss Web Server 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Will not fix", "package_name": "apache-commons-compress", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Out of support scope", "package_name": "commons-compress", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Affected", "package_name": "commons-compress", "product_name": "Red Hat support for Spring Boot"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Not affected", "package_name": "commons-compress", "product_name": "streams for Apache Kafka"}], "public_date": "2024-02-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-26308\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26308\nhttps://lists.apache.org/thread/ch5yo2d21p7vlqrhll9b17otbyq4npfg\nhttps://www.openwall.com/lists/oss-security/2024/02/19/2"], "threat_severity": "Moderate", "upstream_fix": "Apache Commons Compress 1.26"}