Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:deb/debian/libcommons-compress-java@1.24.0-1?distro=trixie
Typedeb
Namespacedebian
Namelibcommons-compress-java
Version1.24.0-1
Qualifiers
distro trixie
Subpath
Is_vulnerablefalse
Next_non_vulnerable_version1.27.1-1
Latest_non_vulnerable_version1.27.1-2
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-k4wn-j55z-b3dk
vulnerability_id VCID-k4wn-j55z-b3dk
summary 
Apache Commons Compress denial of service vulnerability
Improper Input Validation, Uncontrolled Resource Consumption vulnerability in Apache Commons Compress in TAR parsing.This issue affects Apache Commons Compress: from 1.22 before 1.24.0.

Users are recommended to upgrade to version 1.24.0, which fixes the issue.

A third party can create a malformed TAR file by manipulating file modification times headers, which when parsed with Apache Commons Compress, will cause a denial of service issue via CPU consumption.

In version 1.22 of Apache Commons Compress, support was added for file modification times with higher precision (issue # COMPRESS-612 [1]). The format for the PAX extended headers carrying this data consists of two numbers separated by a period [2], indicating seconds and subsecond precision (for example “1647221103.5998539”). The impacted fields are “atime”, “ctime”, “mtime” and “LIBARCHIVE.creationtime”. No input validation is performed prior to the parsing of header values.

Parsing of these numbers uses the BigDecimal [3] class from the JDK which has a publicly known algorithmic complexity issue when doing operations on large numbers, causing denial of service (see issue # JDK-6560193 [4]). A third party can manipulate file time headers in a TAR file by placing a number with a very long fraction (300,000 digits) or a number with exponent notation (such as “9e9999999”) within a file modification time header, and the parsing of files with these headers will take hours instead of seconds, leading to a denial of service via exhaustion of CPU resources. This issue is similar to CVE-2012-2098 [5].

[1]:  https://issues.apache.org/jira/browse/COMPRESS-612
[2]:  https://pubs.opengroup.org/onlinepubs/9699919799/utilities/pax.html#tag_20_92_13_05
[3]:  https://docs.oracle.com/javase/8/docs/api/java/math/BigDecimal.html
[4]:  https://bugs.openjdk.org/browse/JDK-6560193
[5]:  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098

Only applications using CompressorStreamFactory class (with auto-detection of file types), TarArchiveInputStream and TarFile classes to parse TAR files are impacted. Since this code was introduced in v1.22, only that version and later versions are impacted.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-42503.json
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-42503.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-42503
reference_id
reference_type
scores
0
value 0.00011
scoring_system epss
scoring_elements 0.01494
published_at 2026-05-12T12:55:00Z
1
value 0.00011
scoring_system epss
scoring_elements 0.01498
published_at 2026-05-11T12:55:00Z
2
value 0.00011
scoring_system epss
scoring_elements 0.01504
published_at 2026-05-07T12:55:00Z
3
value 0.00011
scoring_system epss
scoring_elements 0.0151
published_at 2026-05-05T12:55:00Z
4
value 0.00011
scoring_system epss
scoring_elements 0.01522
published_at 2026-04-29T12:55:00Z
5
value 0.00011
scoring_system epss
scoring_elements 0.01514
published_at 2026-04-26T12:55:00Z
6
value 0.00012
scoring_system epss
scoring_elements 0.01866
published_at 2026-04-04T12:55:00Z
7
value 0.00012
scoring_system epss
scoring_elements 0.01854
published_at 2026-04-02T12:55:00Z
8
value 0.00014
scoring_system epss
scoring_elements 0.02432
published_at 2026-04-18T12:55:00Z
9
value 0.00014
scoring_system epss
scoring_elements 0.0252
published_at 2026-04-24T12:55:00Z
10
value 0.00014
scoring_system epss
scoring_elements 0.02473
published_at 2026-04-09T12:55:00Z
11
value 0.00014
scoring_system epss
scoring_elements 0.02443
published_at 2026-04-13T12:55:00Z
12
value 0.00014
scoring_system epss
scoring_elements 0.02426
published_at 2026-04-16T12:55:00Z
13
value 0.00014
scoring_system epss
scoring_elements 0.02533
published_at 2026-04-21T12:55:00Z
14
value 0.00014
scoring_system epss
scoring_elements 0.02448
published_at 2026-04-07T12:55:00Z
15
value 0.00014
scoring_system epss
scoring_elements 0.02452
published_at 2026-04-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-42503
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/apache/commons-compress
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/commons-compress
4
reference_url https://github.com/apache/commons-compress/commit/aae38bfb820159ae7a0b792e779571f6a46b3889
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/commons-compress/commit/aae38bfb820159ae7a0b792e779571f6a46b3889
5
reference_url https://lists.apache.org/thread/5xwcyr600mn074vgxq92tjssrchmc93c
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread/5xwcyr600mn074vgxq92tjssrchmc93c
6
reference_url https://security.netapp.com/advisory/ntap-20231020-0003
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20231020-0003
7
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1052065
reference_id 1052065
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1052065
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2295031
reference_id 2295031
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2295031
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-42503
reference_id CVE-2023-42503
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-42503
10
reference_url https://github.com/advisories/GHSA-cgwf-w82q-5jrr
reference_id GHSA-cgwf-w82q-5jrr
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-cgwf-w82q-5jrr
fixed_packages
0
url pkg:deb/debian/libcommons-compress-java@0?distro=trixie
purl pkg:deb/debian/libcommons-compress-java@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/libcommons-compress-java@0%3Fdistro=trixie
1
url pkg:deb/debian/libcommons-compress-java@1.20-1?distro=trixie
purl pkg:deb/debian/libcommons-compress-java@1.20-1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-p41w-msyv-u7bk
1
vulnerability VCID-qsw3-wm4k-m7h3
2
vulnerability VCID-qu4m-4u1a-r3cv
3
vulnerability VCID-vaar-ytpp-eqc7
4
vulnerability VCID-y6ff-umvz-zbgd
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/libcommons-compress-java@1.20-1%3Fdistro=trixie
2
url pkg:deb/debian/libcommons-compress-java@1.24.0-1?distro=trixie
purl pkg:deb/debian/libcommons-compress-java@1.24.0-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/libcommons-compress-java@1.24.0-1%3Fdistro=trixie
3
url pkg:deb/debian/libcommons-compress-java@1.27.1-2?distro=trixie
purl pkg:deb/debian/libcommons-compress-java@1.27.1-2?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/libcommons-compress-java@1.27.1-2%3Fdistro=trixie
aliases CVE-2023-42503, GHSA-cgwf-w82q-5jrr
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-k4wn-j55z-b3dk
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:deb/debian/libcommons-compress-java@1.24.0-1%3Fdistro=trixie