Miggo Logo
Miggo Vulnerability Database
CVE-2024-26308

CVE-2024-26308: Apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file

5.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-26308
GHSA ID
GHSA-4265-ccf5-phj5
EPSS Score
0.61733%
CWE
CWE-770
Published
2/19/2024
Updated
2/13/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.commons:commons-compressmaven>= 1.21, < 1.26.01.26.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is an OutOfMemoryError caused by improper handling of malformed Pack200 attributes. The identified commit (90a4d8b3e6bc261af0196ea356f974111001fd15) directly addresses this by adding end-of-stream checks in several methods within the NewAttributeBands class, in both the pack200 and unpack200 harmony packages. These methods are responsible for parsing attribute layouts from a StringReader. Without these checks, malformed input could cause these methods to loop indefinitely or read excessive amounts of data, leading to the OutOfMemoryError. The patch ensures that reading stops when the end of the input stream is encountered, mitigating the vulnerability. The test case Compress626Test.java was also modified to assert that these operations do not throw an exception with a crafted input, confirming the fix.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*llo**tion o* R*sour**s Wit*out Limits or T*rottlin* vuln*r**ility in *p**** *ommons *ompr*ss. T*is issu* *****ts *p**** *ommons *ompr*ss: *rom *.** ***or* *.**. Us*rs *r* r**omm*n*** to up*r*** to v*rsion *.**, w*i** *ix*s t** issu*.

Reasoning

T** vuln*r**ility is *n OutO*M*mory*rror **us** *y improp*r **n*lin* o* m*l*orm** P**k*** *ttri*ut*s. T** i**nti*i** *ommit (****************************************) *ir**tly ***r*ss*s t*is *y ***in* *n*-o*-str**m ****ks in s*v*r*l m*t*o*s wit*in t*