Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

apache commons-io:2.7 divide-by-zero vulnerability #214

Closed
snackerphi opened this issue Sep 28, 2023 · 5 comments · Fixed by #215
Closed

apache commons-io:2.7 divide-by-zero vulnerability #214

snackerphi opened this issue Sep 28, 2023 · 5 comments · Fixed by #215
Labels
released

Comments

@snackerphi
Copy link

snackerphi commented Sep 28, 2023
edited
Loading

X-Ray scan shows commons-io version 2.7 has a divide-by-zero vulnerability which can be used for DoS attack.

X-Ray detials:

  1. Severity: High
  2. Component: commons-io:commons-io:2.7
  3. Upgrade to: 2.8.0-RC1
  4. Summary: Apache Commons IO input/InfiniteCircularInputStream.java InfiniteCircularInputStream::read() Function Buffer Handling Divide-by-zero DoS
  5. Description: Apache Commons IO contains a divide-by-zero condition in the InfiniteCircularInputStream::read() function in input/InfiniteCircularInputStream.java that is triggered when the input buffer is of size 0. This may allow a context-dependent attacker to crash a process linked against the library.
  6. Vulnerable Versions: 2.6 ≤ Version < 2.8.0-RC

Apache Issue : InfiniteCircularInputStream throws a divide-by-zero exception when reading if its input buffer is size 0

Similar ticket in cofluence
@snackerphi snackerphi mentioned this issue Sep 28, 2023
Closed
@ricellis
Copy link
Member

X-Ray's recommendation to update to 2.8.0-RC1 is naive. 2.8.0 proper was released on 2020-09-05 and the current version is 2.13.0.

@snackerphi
Copy link
Author

snackerphi commented Sep 29, 2023
edited
Loading

I believe it is just stating the first version which doesn' t have the vulnerability. The latest version would be best of course.

padamstx added a commit that referenced this issue Oct 2, 2023
@padamstx
fix: bump dependencies to avoid vulnerabilities
ad322cc 
Fixes: #214

Signed-off-by: Phil Adams <[email protected]>
@padamstx padamstx mentioned this issue Oct 2, 2023
Merged
@padamstx
Copy link
Member

padamstx commented Oct 2, 2023

Most recent version of commons-io is 2.14.0... we'll use that.

padamstx added a commit that referenced this issue Oct 2, 2023
@padamstx
fix: bump dependencies to avoid vulnerabilities (#215)
3f5a609 
Fixes: #214

Signed-off-by: Phil Adams <[email protected]>
ibm-devx-sdk pushed a commit that referenced this issue Oct 2, 2023
@semantic-release-bot
chore(release): 9.18.6 release notes
fcabf5e 
## [9.18.6](9.18.5...9.18.6) (2023-10-02)

### Bug Fixes

* bump dependencies to avoid vulnerabilities ([#215](#215)) ([3f5a609](3f5a609)), closes [#214](#214)
@ibm-devx-sdk
Copy link
Contributor

🎉 This issue has been resolved in version 9.18.6 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@snackerphi
Copy link
Author

Thanks @padamstx !

@Shashank-Jha Shashank-Jha mentioned this issue Nov 29, 2024
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: bump dependencies to avoid vulnerabilities IBM/java-sdk-core
4 participants
@ricellis @snackerphi @padamstx @ibm-devx-sdk