{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-26308", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-02-17T22:08:44.423Z", "datePublished": "2024-02-19T08:31:50.192Z", "dateUpdated": "2025-03-27T19:10:43.565Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2/", "defaultStatus": "unaffected", "packageName": "org.apache.commons:commons-compress", "product": "Apache Commons Compress", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "1.26.0", "status": "affected", "version": "1.21", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Yakov Shafranovich, Amazon Web Services"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.<p>This issue affects Apache Commons Compress: from 1.21 before 1.26.</p><p>Users are recommended to upgrade to version 1.26, which fixes the issue.</p>"}], "value": "Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26.\n\nUsers are recommended to upgrade to version 1.26, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-03-07T17:06:31.944Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/ch5yo2d21p7vlqrhll9b17otbyq4npfg"}, {"url": "http://www.openwall.com/lists/oss-security/2024/02/19/2"}, {"url": "https://security.netapp.com/advisory/ntap-20240307-0009/"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-02-22T17:49:36.910764Z", "id": "CVE-2024-26308", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-27T19:10:43.565Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:07:19.215Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/ch5yo2d21p7vlqrhll9b17otbyq4npfg"}, {"url": "http://www.openwall.com/lists/oss-security/2024/02/19/2", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240307-0009/", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.apache.org/thread/ch5yo2d21p7vlqrhll9b17otbyq4npfg", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/02/19/2", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240307-0009/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:07:19.215Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-26308", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-22T17:49:36.910764Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T15:20:40.685Z"}}], "cna": {"title": "Apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "Yakov Shafranovich, Amazon Web Services"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Commons Compress", "versions": [{"status": "affected", "version": "1.21", "lessThan": "1.26.0", "versionType": "semver"}], "packageName": "org.apache.commons:commons-compress", "collectionURL": "https://repo.maven.apache.org/maven2/", "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/ch5yo2d21p7vlqrhll9b17otbyq4npfg", "tags": ["vendor-advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/02/19/2"}, {"url": "https://security.netapp.com/advisory/ntap-20240307-0009/"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26.\n\nUsers are recommended to upgrade to version 1.26, which fixes the issue.", "supportingMedia": [{"type": "text/html", "value": "Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.<p>This issue affects Apache Commons Compress: from 1.21 before 1.26.</p><p>Users are recommended to upgrade to version 1.26, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-03-07T17:06:31.944Z"}}}, "cveMetadata": {"cveId": "CVE-2024-26308", "state": "PUBLISHED", "dateUpdated": "2025-03-27T19:10:43.565Z", "dateReserved": "2024-02-17T22:08:44.423Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2024-02-19T08:31:50.192Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:commons_compress:*:*:*:*:*:*:*:*", "matchCriteriaId": "D8C5F6D4-AAD9-4029-B819-01DB81C18DA1", "versionEndExcluding": "1.26.0", "versionStartIncluding": "1.21", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26.\n\nUsers are recommended to upgrade to version 1.26, which fixes the issue."}, {"lang": "es", "value": "Asignaci\u00f3n de recursos sin l\u00edmites o vulnerabilidad de limitaci\u00f3n en Apache Commons Compress. Este problema afecta a Apache Commons Compress: desde 1.21 antes de 1.26. Se recomienda a los usuarios actualizar a la versi\u00f3n 1.26, que soluciona el problema."}], "id": "CVE-2024-26308", "lastModified": "2025-03-27T20:15:24.547", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-02-19T09:15:38.277", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2024/02/19/2"}, {"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://lists.apache.org/thread/ch5yo2d21p7vlqrhll9b17otbyq4npfg"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20240307-0009/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2024/02/19/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://lists.apache.org/thread/ch5yo2d21p7vlqrhll9b17otbyq4npfg"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20240307-0009/"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security@apache.org", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:1706", "cpe": "cpe:/a:redhat:camel_quarkus:3", "package": "commons-compress", "product_name": "CEQ 3.2", "release_date": "2024-04-09T00:00:00Z"}, {"advisory": "RHSA-2024:1923", "cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package": "mtr/mtr-operator-bundle:1.2-18", "product_name": "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date": "2024-04-18T00:00:00Z"}, {"advisory": "RHSA-2024:1923", "cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package": "mtr/mtr-rhel8-operator:1.2-11", "product_name": "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date": "2024-04-18T00:00:00Z"}, {"advisory": "RHSA-2024:1923", "cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package": "mtr/mtr-web-container-rhel8:1.2-12", "product_name": "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date": "2024-04-18T00:00:00Z"}, {"advisory": "RHSA-2024:1923", "cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8", "package": "mtr/mtr-web-executor-container-rhel8:1.2-10", "product_name": "Migration Toolkit for Runtimes 1 on RHEL 8", "release_date": "2024-04-18T00:00:00Z"}, {"advisory": "RHSA-2024:3989", "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.2::el9", "package": "mta/mta-windup-addon-rhel9:6.2.3-2", "product_name": "MTA-6.2-RHEL-9", "release_date": "2024-06-20T00:00:00Z"}, {"advisory": "RHSA-2024:1662", "cpe": "cpe:/a:redhat:quarkus:3.2::el8", "package": "org.apache.commons/commons-compress:1.26.0.redhat-00001", "product_name": "Red Hat build of Quarkus 3.2.11.Final", "release_date": "2024-04-03T00:00:00Z"}, {"advisory": "RHSA-2024:1509", "cpe": "cpe:/a:redhat:jboss_data_grid:8", "package": "commons-compress", "product_name": "Red Hat Data Grid", "release_date": "2024-03-26T00:00:00Z"}, {"advisory": "RHSA-2024:2833", "cpe": "cpe:/a:redhat:service_registry:2.5", "package": "commons-compress", "product_name": "RHINT Service Registry 2.5.11 GA", "release_date": "2024-05-14T00:00:00Z"}, {"advisory": "RHSA-2024:4057", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/logic-data-index-ephemeral-rhel8:1.33.0-5", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-24T00:00:00Z"}, {"advisory": "RHSA-2024:4057", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/logic-data-index-postgresql-rhel8:1.33.0-5", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-24T00:00:00Z"}, {"advisory": "RHSA-2024:4057", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/logic-jobs-service-ephemeral-rhel8:1.33.0-5", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-24T00:00:00Z"}, {"advisory": "RHSA-2024:4057", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/logic-jobs-service-postgresql-rhel8:1.33.0-5", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-24T00:00:00Z"}, {"advisory": "RHSA-2024:4057", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/logic-kn-workflow-cli-artifacts-rhel8:1.33.0-5", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-24T00:00:00Z"}, {"advisory": "RHSA-2024:4057", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/logic-operator-bundle:1.33.0-5", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-24T00:00:00Z"}, {"advisory": "RHSA-2024:4057", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/logic-rhel8-operator:1.33.0-3", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-24T00:00:00Z"}, {"advisory": "RHSA-2024:4057", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/logic-swf-builder-rhel8:1.33.0-5", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-24T00:00:00Z"}, {"advisory": "RHSA-2024:4057", "cpe": "cpe:/a:redhat:openshift_serverless:1.33::el8", "package": "openshift-serverless-1/logic-swf-devmode-rhel8:1.33.0-5", "product_name": "RHOSS-1.33-RHEL-8", "release_date": "2024-06-24T00:00:00Z"}], "bugzilla": {"description": "commons-compress: OutOfMemoryError unpacking broken Pack200 file", "id": "2264989", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2264989"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-770", "details": ["Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26.\nUsers are recommended to upgrade to version 1.26, which fixes the issue.", "An allocation of resources without limits or throttling vulnerability was found in Apache Commons Compress. This issue can lead to an out-of-memory error."], "mitigation": {"lang": "en:us", "value": "No mitigation is currently available for this vulnerability."}, "name": "CVE-2024-26308", "package_state": [{"cpe": "cpe:/a:redhat:amq_clients:2023", "fix_state": "Not affected", "package_name": "commons-compress", "product_name": "AMQ Clients"}, {"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Not affected", "package_name": "commons-compress", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:cryostat:2", "fix_state": "Fix deferred", "package_name": "commons-compress", "product_name": "Cryostat 2"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "org.elasticsearch-elasticsearch", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Affected", "package_name": "commons-compress", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Will not fix", "package_name": "commons-compress", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Not affected", "package_name": "commons-compress", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Affected", "package_name": "commons-compress", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:debezium:2", "fix_state": "Not affected", "package_name": "commons-compress", "product_name": "Red Hat build of Debezium 2"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Not affected", "package_name": "commons-compress", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Not affected", "package_name": "commons-compress", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:quarkus:2", "fix_state": "Affected", "package_name": "org.apache.commons/commons-compress", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Affected", "package_name": "commons-compress", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Will not fix", "package_name": "commons-compress", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:camel_quarkus:2", "fix_state": "Affected", "package_name": "commons-compress", "product_name": "Red Hat Integration Camel Quarkus 2"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "commons-compress", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "commons-compress", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "commons-compress", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "commons-compress", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "commons-compress", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5", "fix_state": "Not affected", "package_name": "commons-compress", "product_name": "Red Hat JBoss Web Server 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6", "fix_state": "Not affected", "package_name": "commons-compress", "product_name": "Red Hat JBoss Web Server 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Will not fix", "package_name": "apache-commons-compress", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Out of support scope", "package_name": "commons-compress", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Will not fix", "package_name": "commons-compress", "product_name": "Red Hat support for Spring Boot"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Not affected", "package_name": "commons-compress", "product_name": "streams for Apache Kafka"}], "public_date": "2024-02-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-26308\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26308\nhttps://lists.apache.org/thread/ch5yo2d21p7vlqrhll9b17otbyq4npfg\nhttps://www.openwall.com/lists/oss-security/2024/02/19/2"], "threat_severity": "Moderate"}