Moderate severityNVD Advisory· Published Sep 14, 2023· Updated Feb 13, 2025

Apache Commons Compress: Denial of service via CPU consumption for malformed TAR file

CVE-2023-42503

Description

Improper Input Validation, Uncontrolled Resource Consumption vulnerability in Apache Commons Compress in TAR parsing.This issue affects Apache Commons Compress: from 1.22 before 1.24.0.

Users are recommended to upgrade to version 1.24.0, which fixes the issue.

A third party can create a malformed TAR file by manipulating file modification times headers, which when parsed with Apache Commons Compress, will cause a denial of service issue via CPU consumption.

In version 1.22 of Apache Commons Compress, support was added for file modification times with higher precision (issue # COMPRESS-612 [1]). The format for the PAX extended headers carrying this data consists of two numbers separated by a period [2], indicating seconds and subsecond precision (for example “1647221103.5998539”). The impacted fields are “atime”, “ctime”, “mtime” and “LIBARCHIVE.creationtime”. No input validation is performed prior to the parsing of header values.

Parsing of these numbers uses the BigDecimal [3] class from the JDK which has a publicly known algorithmic complexity issue when doing operations on large numbers, causing denial of service (see issue # JDK-6560193 [4]). A third party can manipulate file time headers in a TAR file by placing a number with a very long fraction (300,000 digits) or a number with exponent notation (such as “9e9999999”) within a file modification time header, and the parsing of files with these headers will take hours instead of seconds, leading to a denial of service via exhaustion of CPU resources. This issue is similar to CVE-2012-2098 [5].

[1]: https://issues.apache.org/jira/browse/COMPRESS-612 [2]: https://pubs.opengroup.org/onlinepubs/9699919799/utilities/pax.html#tag_20_92_13_05 [3]: https://docs.oracle.com/javase/8/docs/api/java/math/BigDecimal.html [4]: https://bugs.openjdk.org/browse/JDK-6560193 [5]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098

Only applications using CompressorStreamFactory class (with auto-detection of file types), TarArchiveInputStream and TarFile classes to parse TAR files are impacted. Since this code was introduced in v1.22, only that version and later versions are impacted.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Malformed TAR file headers cause DoS via CPU exhaustion in Apache Commons Compress versions 1.22 to 1.23.

Vulnerability

Overview

CVE-2023-42503 is an improper input validation and uncontrolled resource consumption vulnerability in Apache Commons Compress, specifically in its TAR parsing functionality. The issue affects versions from 1.22 up to (but not including) 1.24.0. A remote attacker can craft a malformed TAR file with manipulated PAX extended headers for file modification times (such as atime, ctime, mtime, or LIBARCHIVE.creationtime) that lack input validation. Parsing these values uses the Java BigDecimal class, which exhibits known algorithmic complexity issues (JDK-6560193) when handling numbers with very long fractional parts (e.g., 300,000 digits) or exponent notation like 9e9999999, causing CPU exhaustion [1][2].

Exploitation

Details

The attack vector involves a third party supplying a specially crafted TAR file to an application that uses Apache Commons Compress's CompressorStreamFactory with auto-detection or directly invokes TAR archive parsing. No authentication is required beyond the ability to provide such a file (e.g., upload, network share, or email attachment). The parsing of the malicious header consumes excessive CPU resources, effectively causing a Denial of Service (DoS) by making the processing time escalate from seconds to hours [1][2].

Impact

Successful exploitation results in a denial of service via exhaustion of CPU resources. This can degrade or halt the affected application or service, leading to performance degradation or complete unavailability. The issue is similar to CVE-2012-2098, which also involved algorithmic complexity in number parsing [1].

Mitigation

The fix is implemented in Apache Commons Compress version 1.24.0, released on September 14, 2023. Users are strongly advised to upgrade to this version. The commit aae38bfb820159ae7a0b792e779571f6a46b3889 details the patch [2]. No workarounds other than upgrading are mentioned in the advisories. The library source code is available on GitHub [3].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.commons:commons-compressMaven	>= 1.22, < 1.24.0	1.24.0

Affected products

220

osv-coords219 versions
pkg:apk/chainguard/hive pkg:apk/chainguard/hive-compat pkg:apk/chainguard/opensearch-2 pkg:apk/chainguard/opensearch-2-alerting pkg:apk/chainguard/opensearch-2-analysis-icu pkg:apk/chainguard/opensearch-2-analysis-kuromoji pkg:apk/chainguard/opensearch-2-analysis-nori pkg:apk/chainguard/opensearch-2-analysis-phonetic pkg:apk/chainguard/opensearch-2-analysis-smartcn pkg:apk/chainguard/opensearch-2-analysis-stempel pkg:apk/chainguard/opensearch-2-analysis-ukrainian pkg:apk/chainguard/opensearch-2-anomaly-detection pkg:apk/chainguard/opensearch-2-asynchronous-search pkg:apk/chainguard/opensearch-2-cross-cluster-replication pkg:apk/chainguard/opensearch-2-crypto-kms pkg:apk/chainguard/opensearch-2-custom-codecs pkg:apk/chainguard/opensearch-2-discovery-azure-classic pkg:apk/chainguard/opensearch-2-discovery-ec2 pkg:apk/chainguard/opensearch-2-discovery-gce pkg:apk/chainguard/opensearch-2-geospatial pkg:apk/chainguard/opensearch-2-identity-shiro pkg:apk/chainguard/opensearch-2-index-management pkg:apk/chainguard/opensearch-2-ingest-attachment pkg:apk/chainguard/opensearch-2-job-scheduler pkg:apk/chainguard/opensearch-2-k-nn pkg:apk/chainguard/opensearch-2-mapper-annotated-text pkg:apk/chainguard/opensearch-2-mapper-murmur3 pkg:apk/chainguard/opensearch-2-mapper-size pkg:apk/chainguard/opensearch-2-ml-commons pkg:apk/chainguard/opensearch-2-neural-search pkg:apk/chainguard/opensearch-2-notifications pkg:apk/chainguard/opensearch-2-observability pkg:apk/chainguard/opensearch-2-performance-analyzer pkg:apk/chainguard/opensearch-2-reporting pkg:apk/chainguard/opensearch-2-repository-azure pkg:apk/chainguard/opensearch-2-repository-gcs pkg:apk/chainguard/opensearch-2-repository-s3 pkg:apk/chainguard/opensearch-2-security pkg:apk/chainguard/opensearch-2-security-analytics pkg:apk/chainguard/opensearch-2-sql pkg:apk/chainguard/opensearch-2-store-smb pkg:apk/chainguard/opensearch-2-telemetry-otel pkg:apk/chainguard/opensearch-2-transport-nio pkg:apk/chainguard/trino pkg:apk/chainguard/trino-config pkg:apk/chainguard/trino-oci-entrypoint pkg:apk/chainguard/trino-plugin-accumulo pkg:apk/chainguard/trino-plugin-ai-functions pkg:apk/chainguard/trino-plugin-atop pkg:apk/chainguard/trino-plugin-bigquery pkg:apk/chainguard/trino-plugin-blackhole pkg:apk/chainguard/trino-plugin-cassandra pkg:apk/chainguard/trino-plugin-clickhouse pkg:apk/chainguard/trino-plugin-delta-lake pkg:apk/chainguard/trino-plugin-druid pkg:apk/chainguard/trino-plugin-duckdb pkg:apk/chainguard/trino-plugin-elasticsearch pkg:apk/chainguard/trino-plugin-example-http pkg:apk/chainguard/trino-plugin-exasol pkg:apk/chainguard/trino-plugin-exchange-filesystem pkg:apk/chainguard/trino-plugin-exchange-hdfs pkg:apk/chainguard/trino-plugin-faker pkg:apk/chainguard/trino-plugin-functions-python pkg:apk/chainguard/trino-plugin-geospatial pkg:apk/chainguard/trino-plugin-google-sheets pkg:apk/chainguard/trino-plugin-hive pkg:apk/chainguard/trino-plugin-http-event-listener pkg:apk/chainguard/trino-plugin-http-server-event-listener pkg:apk/chainguard/trino-plugin-hudi pkg:apk/chainguard/trino-plugin-iceberg pkg:apk/chainguard/trino-plugin-ignite pkg:apk/chainguard/trino-plugin-jmx pkg:apk/chainguard/trino-plugin-kafka pkg:apk/chainguard/trino-plugin-kafka-event-listener pkg:apk/chainguard/trino-plugin-kinesis pkg:apk/chainguard/trino-plugin-kudu pkg:apk/chainguard/trino-plugin-lakehouse pkg:apk/chainguard/trino-plugin-ldap-group-provider pkg:apk/chainguard/trino-plugin-local-file pkg:apk/chainguard/trino-plugin-loki pkg:apk/chainguard/trino-plugin-mariadb pkg:apk/chainguard/trino-plugin-memory pkg:apk/chainguard/trino-plugin-ml pkg:apk/chainguard/trino-plugin-mongodb pkg:apk/chainguard/trino-plugin-mysql pkg:apk/chainguard/trino-plugin-mysql-event-listener pkg:apk/chainguard/trino-plugin-opa pkg:apk/chainguard/trino-plugin-openlineage pkg:apk/chainguard/trino-plugin-opensearch pkg:apk/chainguard/trino-plugin-oracle pkg:apk/chainguard/trino-plugin-password-authenticators pkg:apk/chainguard/trino-plugin-phoenix5 pkg:apk/chainguard/trino-plugin-pinot pkg:apk/chainguard/trino-plugin-postgresql pkg:apk/chainguard/trino-plugin-prometheus pkg:apk/chainguard/trino-plugin-ranger pkg:apk/chainguard/trino-plugin-raptor-legacy pkg:apk/chainguard/trino-plugin-redis pkg:apk/chainguard/trino-plugin-redshift pkg:apk/chainguard/trino-plugin-resource-group-managers pkg:apk/chainguard/trino-plugin-session-property-managers pkg:apk/chainguard/trino-plugin-singlestore pkg:apk/chainguard/trino-plugin-snowflake pkg:apk/chainguard/trino-plugin-spooling-filesystem pkg:apk/chainguard/trino-plugin-sqlserver pkg:apk/chainguard/trino-plugin-teradata-functions pkg:apk/chainguard/trino-plugin-thrift pkg:apk/chainguard/trino-plugin-tpcds pkg:apk/chainguard/trino-plugin-tpch pkg:apk/chainguard/trino-plugin-vertica pkg:apk/wolfi/opensearch-2 pkg:apk/wolfi/opensearch-2-alerting pkg:apk/wolfi/opensearch-2-analysis-icu pkg:apk/wolfi/opensearch-2-analysis-kuromoji pkg:apk/wolfi/opensearch-2-analysis-nori pkg:apk/wolfi/opensearch-2-analysis-phonetic pkg:apk/wolfi/opensearch-2-analysis-smartcn pkg:apk/wolfi/opensearch-2-analysis-stempel pkg:apk/wolfi/opensearch-2-analysis-ukrainian pkg:apk/wolfi/opensearch-2-anomaly-detection pkg:apk/wolfi/opensearch-2-asynchronous-search pkg:apk/wolfi/opensearch-2-cross-cluster-replication pkg:apk/wolfi/opensearch-2-crypto-kms pkg:apk/wolfi/opensearch-2-custom-codecs pkg:apk/wolfi/opensearch-2-discovery-azure-classic pkg:apk/wolfi/opensearch-2-discovery-ec2 pkg:apk/wolfi/opensearch-2-discovery-gce pkg:apk/wolfi/opensearch-2-geospatial pkg:apk/wolfi/opensearch-2-identity-shiro pkg:apk/wolfi/opensearch-2-index-management pkg:apk/wolfi/opensearch-2-ingest-attachment pkg:apk/wolfi/opensearch-2-job-scheduler pkg:apk/wolfi/opensearch-2-k-nn pkg:apk/wolfi/opensearch-2-mapper-annotated-text pkg:apk/wolfi/opensearch-2-mapper-murmur3 pkg:apk/wolfi/opensearch-2-mapper-size pkg:apk/wolfi/opensearch-2-ml-commons pkg:apk/wolfi/opensearch-2-neural-search pkg:apk/wolfi/opensearch-2-notifications pkg:apk/wolfi/opensearch-2-observability pkg:apk/wolfi/opensearch-2-performance-analyzer pkg:apk/wolfi/opensearch-2-reporting pkg:apk/wolfi/opensearch-2-repository-azure pkg:apk/wolfi/opensearch-2-repository-gcs pkg:apk/wolfi/opensearch-2-repository-s3 pkg:apk/wolfi/opensearch-2-security pkg:apk/wolfi/opensearch-2-security-analytics pkg:apk/wolfi/opensearch-2-sql pkg:apk/wolfi/opensearch-2-store-smb pkg:apk/wolfi/opensearch-2-telemetry-otel pkg:apk/wolfi/opensearch-2-transport-nio pkg:apk/wolfi/trino pkg:apk/wolfi/trino-config pkg:apk/wolfi/trino-oci-entrypoint pkg:apk/wolfi/trino-plugin-accumulo pkg:apk/wolfi/trino-plugin-ai-functions pkg:apk/wolfi/trino-plugin-atop pkg:apk/wolfi/trino-plugin-bigquery pkg:apk/wolfi/trino-plugin-blackhole pkg:apk/wolfi/trino-plugin-cassandra pkg:apk/wolfi/trino-plugin-clickhouse pkg:apk/wolfi/trino-plugin-delta-lake pkg:apk/wolfi/trino-plugin-druid pkg:apk/wolfi/trino-plugin-duckdb pkg:apk/wolfi/trino-plugin-elasticsearch pkg:apk/wolfi/trino-plugin-example-http pkg:apk/wolfi/trino-plugin-exasol pkg:apk/wolfi/trino-plugin-exchange-filesystem pkg:apk/wolfi/trino-plugin-exchange-hdfs pkg:apk/wolfi/trino-plugin-faker pkg:apk/wolfi/trino-plugin-functions-python pkg:apk/wolfi/trino-plugin-geospatial pkg:apk/wolfi/trino-plugin-google-sheets pkg:apk/wolfi/trino-plugin-hive pkg:apk/wolfi/trino-plugin-http-event-listener pkg:apk/wolfi/trino-plugin-http-server-event-listener pkg:apk/wolfi/trino-plugin-hudi pkg:apk/wolfi/trino-plugin-iceberg pkg:apk/wolfi/trino-plugin-ignite pkg:apk/wolfi/trino-plugin-jmx pkg:apk/wolfi/trino-plugin-kafka pkg:apk/wolfi/trino-plugin-kafka-event-listener pkg:apk/wolfi/trino-plugin-kinesis pkg:apk/wolfi/trino-plugin-kudu pkg:apk/wolfi/trino-plugin-lakehouse pkg:apk/wolfi/trino-plugin-ldap-group-provider pkg:apk/wolfi/trino-plugin-local-file pkg:apk/wolfi/trino-plugin-loki pkg:apk/wolfi/trino-plugin-mariadb pkg:apk/wolfi/trino-plugin-memory pkg:apk/wolfi/trino-plugin-ml pkg:apk/wolfi/trino-plugin-mongodb pkg:apk/wolfi/trino-plugin-mysql pkg:apk/wolfi/trino-plugin-mysql-event-listener pkg:apk/wolfi/trino-plugin-opa pkg:apk/wolfi/trino-plugin-openlineage pkg:apk/wolfi/trino-plugin-opensearch pkg:apk/wolfi/trino-plugin-oracle pkg:apk/wolfi/trino-plugin-password-authenticators pkg:apk/wolfi/trino-plugin-phoenix5 pkg:apk/wolfi/trino-plugin-pinot pkg:apk/wolfi/trino-plugin-postgresql pkg:apk/wolfi/trino-plugin-prometheus pkg:apk/wolfi/trino-plugin-ranger pkg:apk/wolfi/trino-plugin-raptor-legacy pkg:apk/wolfi/trino-plugin-redis pkg:apk/wolfi/trino-plugin-redshift pkg:apk/wolfi/trino-plugin-resource-group-managers pkg:apk/wolfi/trino-plugin-session-property-managers pkg:apk/wolfi/trino-plugin-singlestore pkg:apk/wolfi/trino-plugin-snowflake pkg:apk/wolfi/trino-plugin-spooling-filesystem pkg:apk/wolfi/trino-plugin-sqlserver pkg:apk/wolfi/trino-plugin-teradata-functions pkg:apk/wolfi/trino-plugin-thrift pkg:apk/wolfi/trino-plugin-tpcds pkg:apk/wolfi/trino-plugin-tpch pkg:apk/wolfi/trino-plugin-vertica pkg:maven/org.apache.commons/commons-compress
< 4.0.1-r1+ 218 more
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: < 4.0.1-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 2.10.0-r1
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: < 444-r0
- (no CPE)range: >= 1.22, < 1.24.0
Apache Software Foundation/Apache Commons Compressv5
Range: 1.22

Patches

aae38bfb8201

Update site for CVE-2023-42503

https://github.com/apache/commons-compressGary GregorySep 13, 2023via ghsa

commit

1 file changed · +30 −0

src/site/xdoc/security.xml+30 −0 modified

@@ -54,6 +54,36 @@
         the descriptions here are incomplete, please report them
         privately to the Apache Security Team. Thank you.</p>
 
+        <subsection name="Fixed in Apache Commons Compress 1.24.0">
+          <p><b>Moderate: Denial of Service</b> <a
+          href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42503">CVE-2023-42503</a></p>
+          
+          <p>Improper Input Validation, Uncontrolled Resource Consumption vulnerability in Apache Commons Compress in TAR parsing.</p>
+          <p>This issue affects Apache Commons Compress: from 1.22 before 1.24.0.</p>
+          <p>Users are recommended to upgrade to version 1.24.0, which fixes the issue.</p>
+          <p>A third party can create a malformed TAR file by manipulating file modification times headers, 
+             which when parsed with Apache Commons Compress, will cause a denial of service issue via CPU consumption.</p>
+          <p>In version 1.22 of Apache Commons Compress, support was added for file modification times with higher precision 
+             (issue # COMPRESS-612<sup><a href="#Ref-1-24-1">[1]</a></sup>).
+             The format for the PAX extended headers carrying this data consists of two numbers separated by a period<sup><a href="#Ref-1-24-2">[2]</a></sup>, 
+             indicating seconds and subsecond precision (for example “1647221103.5998539”). The impacted fields are “atime”, “ctime”, “mtime” and 
+             “LIBARCHIVE.creationtime”. No input validation is performed prior to the parsing of header values.</p>
+          <p>Parsing of these numbers uses the BigDecimal<sup><a href="#Ref-1-24-3">[3]</a></sup> class from the JDK which has a publicly known algorithmic complexity issue when doing 
+             operations on large numbers, causing denial of service (see issue # JDK-6560193<sup><a href="#Ref-1-24-4">[4]</a></sup>). A third party can manipulate file time headers 
+             in a TAR file by placing a number with a very long fraction (300,000 digits) or a number with exponent notation (such as “9e9999999”) 
+             within a file modification time header, and the parsing of files with these headers will take hours instead of seconds, leading to a 
+             denial of service via exhaustion of CPU resources. This issue is similar to CVE-2012-2098<sup><a href="#Ref-1-24-5">[5]</a></sup>.</p>
+          <ul>
+            <li id="Ref-1-24-1">[1]: <a href="https://issues.apache.org/jira/browse/COMPRESS-612">COMPRESS-612</a></li>
+            <li id="Ref-1-24-2">[2]: <a href="https://pubs.opengroup.org/onlinepubs/9699919799/utilities/pax.html#tag_20_92_13_05">PAX extended headers</a></li>
+            <li id="Ref-1-24-3">[3]: <a href="https://docs.oracle.com/javase/8/docs/api/java/math/BigDecimal.html">BigDecimal</a></li>
+            <li id="Ref-1-24-4">[4]: <a href="https://bugs.openjdk.org/browse/JDK-6560193">JDK-6560193</a></li>
+            <li id="Ref-1-24-5">[5]: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098">CVE-2012-2098</a></li>
+          </ul>
+          <p>Only applications using CompressorStreamFactory class (with auto-detection of file types), TarArchiveInputStream and TarFile 
+             classes to parse TAR files are impacted. Since this code was introduced in v1.22, only that version and later versions are impacted.</p>
+        </subsection>
+
         <subsection name="Fixed in Apache Commons Compress 1.21">
           <p><b>Low: Denial of Service</b> <a
           href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35515">CVE-2021-35515</a></p>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-cgwf-w82q-5jrrghsaADVISORY
lists.apache.org/thread/5xwcyr600mn074vgxq92tjssrchmc93cghsavendor-advisoryWEB
nvd.nist.gov/vuln/detail/CVE-2023-42503ghsaADVISORY
github.com/apache/commons-compress/commit/aae38bfb820159ae7a0b792e779571f6a46b3889ghsaWEB
security.netapp.com/advisory/ntap-20231020-0003ghsaWEB
security.netapp.com/advisory/ntap-20231020-0003/mitre

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000