{ "threat_severity" : "Moderate", "public_date" : "2024-10-03T11:32:48Z", "bugzilla" : { "description" : "apache-commons-io: Possible denial of service attack on untrusted input to XmlStreamReader", "id" : "2316271", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2316271" }, "cvss3" : { "cvss3_base_score" : "4.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "status" : "verified" }, "cwe" : "CWE-400", "details" : [ "Uncontrolled Resource Consumption vulnerability in Apache Commons IO.\nThe org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input.\nThis issue affects Apache Commons IO: from 2.0 before 2.14.0.\nUsers are recommended to upgrade to version 2.14.0 or later, which fixes the issue.", "A vulnerability was found in the Apache Commons IO component in the org.apache.commons.io.input.XmlStreamReader class. Excessive CPU resource consumption can lead to a denial of service when an untrusted input is processed." ], "affected_release" : [ { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "release_date" : "2024-11-04T00:00:00Z", "advisory" : "RHSA-2024:8826", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.0" }, { "product_name" : "Streams for Apache Kafka 2.8.0", "release_date" : "2024-11-13T00:00:00Z", "advisory" : "RHSA-2024:9571", "cpe" : "cpe:/a:redhat:amq_streams:2" }, { "product_name" : "Streams for Apache Kafka 2.9.0", "release_date" : "2025-03-05T00:00:00Z", "advisory" : "RHSA-2025:2416", "cpe" : "cpe:/a:redhat:amq_streams:2" } ], "package_state" : [ { "product_name" : "A-MQ Clients 2", "fix_state" : "Fix deferred", "package_name" : "commons-io", "cpe" : "cpe:/a:redhat:a_mq_clients:2" }, { "product_name" : "Cryostat 3", "fix_state" : "Fix deferred", "package_name" : "commons-io", "cpe" : "cpe:/a:redhat:cryostat:3" }, { "product_name" : "Cryostat 4", "fix_state" : "Fix deferred", "package_name" : "commons-io", "cpe" : "cpe:/a:redhat:cryostat:4" }, { "product_name" : "Red Hat AMQ Broker 7", "fix_state" : "Not affected", "package_name" : "commons-io", "cpe" : "cpe:/a:redhat:amq_broker:7" }, { "product_name" : "Red Hat AMQ Clients", "fix_state" : "Fix deferred", "package_name" : "commons-io", "cpe" : "cpe:/a:redhat:amq_clients:2023" }, { "product_name" : "Red Hat build of Apache Camel 4 for Quarkus 3", "fix_state" : "Fix deferred", "package_name" : "quarkus-cxf-bom", "cpe" : "cpe:/a:redhat:camel_quarkus:3" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 4", "fix_state" : "Fix deferred", "package_name" : "commons-io", "cpe" : "cpe:/a:redhat:camel_spring_boot:4" }, { "product_name" : "Red Hat build of Apache Camel - HawtIO 4", "fix_state" : "Fix deferred", "package_name" : "commons-io", "cpe" : "cpe:/a:redhat:apache_camel_hawtio:4" }, { "product_name" : "Red Hat build of Apicurio Registry 2", "fix_state" : "Fix deferred", "package_name" : "commons-io", "cpe" : "cpe:/a:redhat:service_registry:2" }, { "product_name" : "Red Hat build of Apicurio Registry 3", "fix_state" : "Fix deferred", "package_name" : "commons-io", "cpe" : "cpe:/a:redhat:apicurio_registry:3" }, { "product_name" : "Red Hat build of Debezium 2", "fix_state" : "Fix deferred", "package_name" : "commons-io", "cpe" : "cpe:/a:redhat:debezium:2" }, { "product_name" : "Red Hat build of Debezium 3", "fix_state" : "Fix deferred", "package_name" : "commons-io", "cpe" : "cpe:/a:redhat:debezium:3" }, { "product_name" : "Red Hat build of OptaPlanner 8", "fix_state" : "Fix deferred", "package_name" : "commons-io", "cpe" : "cpe:/a:redhat:optaplanner:::el6" }, { "product_name" : "Red Hat build of Quarkus", "fix_state" : "Fix deferred", "package_name" : "quarkus-bom", "cpe" : "cpe:/a:redhat:quarkus:3" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Fix deferred", "package_name" : "commons-io", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Will not fix", "package_name" : "apache-commons-io", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "apache-commons-io", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "javapackages-tools:201801/apache-commons-io", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "maven:3.8/apache-commons-io", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Will not fix", "package_name" : "apache-commons-io", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Will not fix", "package_name" : "maven:3.8/apache-commons-io", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Out of support scope", "package_name" : "commons-io", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Fix deferred", "package_name" : "commons-io", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Affected", "package_name" : "commons-io", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Fix deferred", "package_name" : "commons-io", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Fix deferred", "package_name" : "commons-io", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Web Server 5", "fix_state" : "Fix deferred", "package_name" : "commons-io", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5" }, { "product_name" : "Red Hat JBoss Web Server 6", "fix_state" : "Fix deferred", "package_name" : "jws6-tomcat-jakartaee-migration", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Out of support scope", "package_name" : "commons-io", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Out of support scope", "package_name" : "commons-io", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "streams for Apache Kafka", "fix_state" : "Fix deferred", "package_name" : "commons-io", "cpe" : "cpe:/a:redhat:amq_streams:1" }, { "product_name" : "streams for Apache Kafka 2", "fix_state" : "Fix deferred", "package_name" : "commons-io", "cpe" : "cpe:/a:redhat:amq_streams:2" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-47554\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-47554\nhttps://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1" ], "name" : "CVE-2024-47554", "csaw" : false }