org.apache.commons:commons-compress vulnerability - CVE-2019-12402

Description

We are using it in:
insightedge-extensions/insightedge-packager/pom.xml
insightedge-extensions/pom.xml

The vulnerability:
A resource consumption vulnerability was discovered in apache-commons-compress in the way NioZipEncoding encodes filenames. Applications that use Compress to create archives, with one of the filenames within the archive being controlled by the user, may be vulnerable to this flaw. A remote attacker could exploit this flaw to cause an infinite loop during the archive creation, thus leading to a denial of service.

The Mitigation:
Upgrade
org.apache.commons:commons-compress
to version 1.19 or later.

Workaround

None

Acceptance Test

None

Assignee

Unassigned

Reporter

Yuval Dori

Labels

None

Priority

Medium

SalesForce Case ID

None

Fix versions

None

Commitment Version/s

None

Due date

None

Product

XAP

Edition

Open Source

Platform

All
Configure