CVE-2024-47554 (High) detected in commons-io-2.6.jar

[mend-bolt-for-github[bot]]

CVE-2024-47554 - High Severity Vulnerability

Vulnerable Library - commons-io-2.6.jar

The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.

Library home page: https://www.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-io/commons-io/2.6/815893df5f31da2ece4040fe0a12fd44b577afaf/commons-io-2.6.jar

Dependency Hierarchy: - pmd-java-6.42.0.jar (Root Library) - :x: **commons-io-2.6.jar** (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are recommended to upgrade to version 2.14.0 or later, which fixes the issue.

Publish Date: 2024-10-03

URL: CVE-2024-47554

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1

Release Date: 2024-10-03

Fix Resolution (commons-io:commons-io): 2.14.0

Direct dependency fix Resolution (net.sourceforge.pmd:pmd-java): 6.46.0

---

Step up your Open Source Security Game with Mend here