CVE-2024-26308
Allocation of Resources Without Limits or Throttling vulnerability in commons-compress (Maven)
What is CVE-2024-26308 About?
This vulnerability in Apache Commons Compress allows for an uncontrolled resource allocation, potentially leading to resource exhaustion. If an attacker submits specially crafted inputs, the library could allocate excessive memory or CPU. This can result in a denial-of-service condition and is relatively easy to exploit with precise input.
Affected Software
Technical Details
The vulnerability in Apache Commons Compress is categorized as "Allocation of Resources Without Limits or Throttling." This means that certain operations within the library, when processing specific types of compressed archives or data streams, do not adequately limit or throttle the amount of resources (e.g., memory, CPU) they consume. An attacker can craft a malformed archive or data stream that, when processed by a vulnerable version of Commons Compress, causes the library to attempt to allocate an exceedingly large amount of memory or perform an extensive number of computations. This uncontrolled resource allocation can lead to system instability, application crashes, or a complete denial of service for the host system.
What is the Impact of CVE-2024-26308?
Successful exploitation may allow attackers to consume excessive system resources (memory, CPU), leading to a denial of service (DoS) for applications processing untrusted compressed data.
What is the Exploitability of CVE-2024-26308?
Exploitation of this vulnerability has a moderate complexity. It requires an attacker to craft a malicious compressed file or data stream that triggers the uncontrolled resource allocation when processed by Apache Commons Compress. There are no specific authentication or privilege requirements to deliver such a payload. This is a remote vulnerability if the application accepts and processes compressed files or data from untrusted sources (e.g., file uploads, network streams). Special conditions involve the target application using a vulnerable version of Apache Commons Compress. Risk factors include public-facing web applications that handle file uploads or otherwise decompress user-provided content.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| crazycatMyopic | Link | Docker Deskop giving issue CVE-2024-26308 for maven [reproduce] |
What are the Available Fixes for CVE-2024-26308?
Available Upgrade Options
- org.apache.commons:commons-compress
- >1.21, <1.26.0 → Upgrade to 1.26.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.netapp.com/advisory/ntap-20240307-0009
- https://lists.apache.org/thread/ch5yo2d21p7vlqrhll9b17otbyq4npfg
- http://www.openwall.com/lists/oss-security/2024/02/19/2
- https://lists.apache.org/thread/ch5yo2d21p7vlqrhll9b17otbyq4npfg
- https://nvd.nist.gov/vuln/detail/CVE-2024-26308
- https://github.com/apache/commons-compress
- http://www.openwall.com/lists/oss-security/2024/02/19/2
- https://osv.dev/vulnerability/GHSA-4265-ccf5-phj5
- https://security.netapp.com/advisory/ntap-20240307-0009/
What are Similar Vulnerabilities to CVE-2024-26308?
Similar Vulnerabilities: CVE-2023-42111 , CVE-2022-45143 , CVE-2022-21444 , CVE-2021-43297 , CVE-2020-25659
