opensearch-build icon indicating copy to clipboard operation
opensearch-build copied to clipboard

CVE-2024-26308 (Medium) detected in commons-compress-1.24.0.jar

Open mend-for-github-com[bot] opened this issue 1 year ago • 1 comments

CVE-2024-26308 - Medium Severity Vulnerability

Vulnerable Library - commons-compress-1.24.0.jar

Apache Commons Compress defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Library home page: https://commons.apache.org/proper/commons-compress/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.24.0/b4b1b5a3d9573b2970fddab236102c0a4d27d35e/commons-compress-1.24.0.jar

Dependency Hierarchy:

  • jenkins-core-2.426.3.jar (Root Library)
    • :x: commons-compress-1.24.0.jar (Vulnerable Library)

Found in HEAD commit: b439dcbcaec85cb505ff1870eaac296568ab9261

Found in base branch: main

Vulnerability Details

Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26.

Users are recommended to upgrade to version 1.26, which fixes the issue.

Publish Date: 2024-02-19

URL: CVE-2024-26308

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-26308

Release Date: 2024-02-19

Fix Resolution: org.apache.commons:commons-compress:1.26.0

please refer to https://github.com/opensearch-project/opensearch-build/issues/4462 as it is the same library

jordarlu avatar Mar 12 '24 17:03 jordarlu