Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are recommended to upgrade to version 2.14.0 or later, which fixes the issue.
History

Fri, 22 Nov 2024 12:00:00 +0000

Type Values Removed Values Added
References

Thu, 14 Nov 2024 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat amq Streams
CPEs cpe:/a:redhat:amq_streams:2
Vendors & Products Redhat
Redhat amq Streams

Fri, 04 Oct 2024 13:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

threat_severity

Moderate


Thu, 03 Oct 2024 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 03 Oct 2024 11:45:00 +0000

Type Values Removed Values Added
Description Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are recommended to upgrade to version 2.14.0 or later, which fixes the issue.
Title Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader
Weaknesses CWE-400
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2024-10-03T11:32:48.936Z

Updated: 2024-12-04T15:03:37.949Z

Reserved: 2024-09-26T16:12:46.116Z

Link: CVE-2024-47554

cve-icon Vulnrichment

Updated: 2024-10-03T18:03:28.321Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-10-03T12:15:02.613

Modified: 2024-12-04T15:15:11.940

Link: CVE-2024-47554

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-10-03T11:32:48Z

Links: CVE-2024-47554 - Bugzilla