Skip to content

Commit

Permalink
fix: upgrade commons-compress to v1.20 to remediate CVE-2019-12402
Browse files Browse the repository at this point in the history 
CVE-2019-12402:

- Library: org.apache.commons:commons-compress
- Vulnerable versions: >= 1.15, < 1.19
- Patched version: 1.19

The file name encoding algorithm used internally in Apache Commons
Compress 1.15 to 1.18 can get into an infinite loop when faced with
specially crafted inputs. This can lead to a denial of service attack if
an attacker can choose the file names inside of an archive created by
Compress.

Fixes #1078
  • Loading branch information
@rdeltour
rdeltour committed Apr 30, 2020
1 parent f368ee5 commit 928c26a
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -171,7 +171,7 @@
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId>
<version>1.18</version>
<version>1.20</version>
<exclusions>
<exclusion>
<groupId>org.tukaani</groupId>
Expand Down

0 comments on commit 928c26a

Please sign in to comment.