Medium severity5.5NVD Advisory· Published Mar 16, 2018· Updated Jun 17, 2026
CVE-2018-1324
CVE-2018-1324
Description
A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.commons:commons-compressMaven | >= 1.11, < 1.16 | 1.16 |
com.liferay:com.liferay.portal.tools.bundle.supportMaven | >= 3.2.7, < 3.7.4 | 3.7.4 |
Affected products
4- ghsa-coords3 versionspkg:maven/com.liferay/com.liferay.portal.tools.bundle.supportpkg:maven/io.takari/commons-compresspkg:maven/org.apache.commons/commons-compress
>= 3.2.7, < 3.7.4+ 2 more
- (no CPE)range: >= 3.2.7, < 3.7.4
- (no CPE)
- (no CPE)range: >= 1.11, < 1.16
- Range: 1.11 to 1.15
Patches
Vulnerability mechanics
References
16- www.oracle.com/security-alerts/cpujan2022.htmlnvdPatchThird Party Advisory
- www.securityfocus.com/bid/103490nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1040549nvdThird Party AdvisoryVDB Entry
- github.com/advisories/GHSA-h436-432x-8fvxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1324ghsaADVISORY
- arxiv.org/pdf/2306.05534.pdfghsaWEB
- github.com/apache/commons-compress/commit/2a2f1dc48e22a34ddb72321a4db211da91aa933bghsaWEB
- github.com/jensdietrich/xshady-release/tree/main/CVE-2018-1324ghsaWEB
- lists.apache.org/thread.html/1c7b6df6d1c5c8583518a0afa017782924918e4d6acfaf23ed5b2089@%3Cdev.commons.apache.org%3EghsaWEB
- lists.apache.org/thread.html/b8ef29df0f1d55aa741170748352ae8e425c7b1d286b2f257711a2dd@%3Cdev.creadur.apache.org%3EghsaWEB
- lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r5532dc8d5456b5151e8c286801e2e5769f5c04118b29c3b5d13ea387@%3Cissues.beam.apache.org%3EghsaWEB
- lists.apache.org/thread.html/1c7b6df6d1c5c8583518a0afa017782924918e4d6acfaf23ed5b2089%40%3Cdev.commons.apache.org%3Envd
- lists.apache.org/thread.html/b8ef29df0f1d55aa741170748352ae8e425c7b1d286b2f257711a2dd%40%3Cdev.creadur.apache.org%3Envd
- lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3Envd
- lists.apache.org/thread.html/r5532dc8d5456b5151e8c286801e2e5769f5c04118b29c3b5d13ea387%40%3Cissues.beam.apache.org%3Envd
News mentions
0No linked articles in our index yet.