Description
A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package.
Remediation
References
http://www.securitytracker.com/id/1040549
http://www.securityfocus.com/bid/103490
https://www.oracle.com/security-alerts/cpujan2022.html
https://lists.apache.org/thread.html/1c7b6df6d1c5c8583518a0afa017782924918e4d6acfaf23ed5b2089%40%3Cdev.commons.apache.org%3E
https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E
https://lists.apache.org/thread.html/b8ef29df0f1d55aa741170748352ae8e425c7b1d286b2f257711a2dd%40%3Cdev.creadur.apache.org%3E
https://lists.apache.org/thread.html/r5532dc8d5456b5151e8c286801e2e5769f5c04118b29c3b5d13ea387%40%3Cissues.beam.apache.org%3E
Related Vulnerabilities
CVE-2022-25852 Vulnerability in npm package pg-native
CVE-2022-43415 Vulnerability in maven package org.jenkins-ci.plugins:repo
CVE-2020-7753 Vulnerability in maven package org.webjars.npm:trim
CVE-2019-19771 Vulnerability in npm package wbe3
CVE-2023-3414 Vulnerability in maven package io.jenkins.plugins:servicenow-devops