Vulnerability CVE-2024-25710

[sec-hound-service[bot]]

Dependency Information

• Name: pkg@maven@org.apache.commons@commons-compress@1.25.0

• License: https://www.apache.org/licenses/LICENSE-2.0.txt

• Description: Apache Commons Compress defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, LZMA, XZ, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

• URL: https://ossindex.sonatype.org/component/pkg:maven/org.apache.commons/commons-compress@1.25.0?utm_source=dependency-check&utm_medium=integration&utm_content=9.0.9

---

Vulnerability Details

• Code: CVE-2024-25710
• Source: NVD
• Severity: MEDIUM
• Description: Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0.

Users are recommended to upgrade to version 1.26.0 which fixes the issue.

---

Common Vulnerability Scoring System (CVSSv3)

• Base Score: 5.5
• Attack Vector: LOCAL
• Attack Complexity: LOW
• Privileges Required: NONE
• User Interaction: REQUIRED
• Scope: UNCHANGED
• Confidentiality Impact: NONE
• Integrity Impact: NONE
• Availability Impact: HIGH
• Base Severity: MEDIUM
• Exploitability Score: 1.8
• Impact Score: 3.6
• Version: 3.1

Known Exploits Vulnerability

No known exploited vulnerability

For more information, visit the NVD

[sec-hound-service[bot]]

The issue was closed because the dependency that contained the vulnerability was removed, or the dependency was updated to a version that does not contain the vulnerability. Date: Fri Jul 05 23:48:01 WEST 2024

[sec-hound-service[bot]]

The issue was closed because the dependency that contained the vulnerability was removed, or the dependency was updated to a version that does not contain the vulnerability. Date: Fri Jul 05 23:52:07 WEST 2024

[sec-hound-service[bot]]

The issue was closed because the dependency that contained the vulnerability was removed, or the dependency was updated to a version that does not contain the vulnerability. Date: Fri Jul 05 23:53:31 WEST 2024

[sec-hound-service[bot]]

The issue was closed because the dependency that contained the vulnerability was removed, or the dependency was updated to a version that does not contain the vulnerability. Date: Fri Jul 05 23:57:26 WEST 2024

[sec-hound-service[bot]]

The issue was closed because the dependency that contained the vulnerability was removed, or the dependency was updated to a version that does not contain the vulnerability. Date: Sat Jul 06 00:03:37 WEST 2024

[sec-hound-service[bot]]

The issue was closed because the dependency that contained the vulnerability was removed, or the dependency was updated to a version that does not contain the vulnerability. Date: Sat Jul 06 00:11:41 WEST 2024

[sec-hound-service[bot]]

The issue was closed because the dependency that contained the vulnerability was removed, or the dependency was updated to a version that does not contain the vulnerability. Date: Sat Jul 06 00:13:02 WEST 2024

[sec-hound-service[bot]]

The issue was closed because the dependency that contained the vulnerability was removed, or the dependency was updated to a version that does not contain the vulnerability. Date: Sat Jul 06 10:24:39 WEST 2024

[sec-hound-service[bot]]

The issue was reopened because the dependency that contain the vulnerability was not fixed, or the vulnerability was not removed. Date: Sat Jul 06 10:36:14 WEST 2024