| Description: | Summary:
The remote host is missing an update for the 'apache-commons-compress, osgi-core' package(s) announced via the MGASA-2022-0009 advisory.
Vulnerability Insight:
When reading a specially crafted 7Z archive, the construction of the list
of codecs that decompress an entry can result in an infinite loop. This
could be used to mount a denial of service attack against services that
use Compress' sevenz package. (CVE-2021-35515)
When reading a specially crafted 7Z archive, Compress can be made to
allocate large amounts of memory that finally leads to an out of memory
error even for very small inputs. This could be used to mount a denial of
service attack against services that use Compress' sevenz package.
(CVE-2021-35516)
When reading a specially crafted TAR archive, Compress can be made to
allocate large amounts of memory that finally leads to an out of memory
error even for very small inputs. This could be used to mount a denial of
service attack against services that use Compress' tar package.
(CVE-2021-35517)
When reading a specially crafted ZIP archive, Compress can be made to
allocate large amounts of memory that finally leads to an out of memory
error even for very small inputs. This could be used to mount a denial of
service attack against services that use Compress' zip package.
(CVE-2021-36090)
Affected Software/OS:
'apache-commons-compress, osgi-core' package(s) on Mageia 8.
Solution:
Please install the updated package(s).
CVSS Score:
5.0
CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P
|
