CVE-2024-25710 (High) detected in commons-compress-1.24.0.jar #4462

mend-for-github-com · 2024-02-20T17:27:51Z

CVE-2024-25710 - High Severity Vulnerability

Vulnerable Library - commons-compress-1.24.0.jar

Apache Commons Compress defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Library home page: https://www.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.24.0/b4b1b5a3d9573b2970fddab236102c0a4d27d35e/commons-compress-1.24.0.jar

Dependency Hierarchy:

jenkins-core-2.426.3.jar (Root Library)
- ❌ commons-compress-1.24.0.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0.

Users are recommended to upgrade to version 1.26.0 which fixes the issue.

Publish Date: 2024-02-19

URL: CVE-2024-25710

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-25710

Release Date: 2024-02-19

Fix Resolution: org.apache.commons:commons-compress:1.26.0

jordarlu · 2024-03-12T17:30:15Z

The current latest Jenkins LTE version, 2.440.1 , does not address this CVE or upgarde org.apache.commons:commons-compress in dependency. We may have to wait for the future Jenkins core release

mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label Feb 20, 2024

github-actions bot added the untriaged Issues that have not yet been triaged label Feb 20, 2024

zelinh removed the untriaged Issues that have not yet been triaged label Feb 27, 2024

jordarlu mentioned this issue Mar 12, 2024

CVE-2024-26308 (Medium) detected in commons-compress-1.24.0.jar #4461

Open

mend-for-github-com bot changed the title ~~CVE-2024-25710 (High) detected in commons-compress-1.22.jar~~ CVE-2024-25710 (Medium) detected in commons-compress-1.22.jar Mar 28, 2024

getsaurabh02 added this to Engineering Effectiveness Board Jun 6, 2024

github-project-automation bot moved this to 🆕 New in Engineering Effectiveness Board Jun 6, 2024

mend-for-github-com bot changed the title ~~CVE-2024-25710 (Medium) detected in commons-compress-1.22.jar~~ CVE-2024-25710 (Medium) detected in commons-compress-1.24.0.jar Jun 11, 2024

mend-for-github-com bot changed the title ~~CVE-2024-25710 (Medium) detected in commons-compress-1.24.0.jar~~ CVE-2024-25710 (High) detected in commons-compress-1.24.0.jar Jul 17, 2024

getsaurabh02 moved this from 🆕 New to Later (6 months plus) in Engineering Effectiveness Board Jul 18, 2024

peterzhuamazon moved this to 📦 Backlog in Engineering Effectiveness Board Dec 4, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2024-25710 (High) detected in commons-compress-1.24.0.jar #4462

CVE-2024-25710 (High) detected in commons-compress-1.24.0.jar #4462

mend-for-github-com bot commented Feb 20, 2024 •

edited

Loading

jordarlu commented Mar 12, 2024

CVE-2024-25710 (High) detected in commons-compress-1.24.0.jar #4462

CVE-2024-25710 (High) detected in commons-compress-1.24.0.jar #4462

Comments

mend-for-github-com bot commented Feb 20, 2024 • edited Loading

CVE-2024-25710 - High Severity Vulnerability

jordarlu commented Mar 12, 2024

mend-for-github-com bot commented Feb 20, 2024 •

edited

Loading