CVE-2023-42503 identifies a medium severity vulnerability in Apache Commons Compress, specifically related to improper input validation and uncontrolled resource consumption during TAR parsing. This vulnerability affects users of Apache Commons Compress from version 1.22 up to, but not including, version 1.24.0. The issue arises when a third party crafts a malformed TAR file by manipulating file modification time headers, leading to a denial of service (DoS) via excessive CPU consumption.
The vulnerability leverages the parsing of file modification times with high precision, which was introduced in version 1.22. The impacted fields include 'atime', 'ctime', 'mtime', and 'LIBARCHIVE.creationtime'. Notably, no input validation occurs before the parsing of these header values. This flaw allows attackers to exploit the algorithmic complexity issue in the BigDecimal class, leading to prolonged CPU processing times that can significantly hinder application performance.
Organizations should prioritize patching to version 1.24.0 or later as this update resolves the identified vulnerabilities. Failure to address this issue may expose systems to potential denial of service attacks, impacting availability.
With a CVSS score of 5.5, this vulnerability is categorized as medium severity, indicating that while it may not be immediately critical, the risks to organizations include significant service interruptions and resource exhaustion, especially in environments where TAR file parsing is frequent.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)