CVE-2018-11771

MEDIUM

Apache Commons Compress 1.7-1.17 - Denial of Service via Malformed ZIP Archive

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2018-11771. PoCs published by dawetmaster, andikahilmy.

AI-analyzed exploit summary This repository contains the source code of Apache Commons Compress at a vulnerable commit but lacks any exploit code or technical analysis. It appears to be a snapshot of the vulnerable software rather than a PoC or writeup.

Description

When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package.

Exploits (2)

nomisec STUB

by dawetmaster · poc

https://github.com/dawetmaster/CVE-2018-11771-commons-compress-vulnerable

View Code ZIP pw:eip

This repository contains the source code of Apache Commons Compress at a vulnerable commit but lacks any exploit code or technical analysis. It appears to be a snapshot of the vulnerable software rather than a PoC or writeup.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: Apache Commons Compress

No auth needed

Prerequisites: None

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Mar 14, 2026 Full analysis →

nomisec STUB

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2018-11771-commons-compress-vulnerable

View Code ZIP pw:eip

This repository contains the source code of Apache Commons Compress, which is vulnerable to CVE-2018-11771, but does not include any exploit code or proof-of-concept. It appears to be a snapshot of the vulnerable version without additional exploit-specific content.

Classification

Stub 90%

Attack Type

Dos

Complexity

Moderate

Reliability

Theoretical

Target: Apache Commons Compress (versions before 1.17)

No auth needed

Prerequisites: Access to an application using Apache Commons Compress to process malicious archives

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (17)

Core 17

Core References

Broken Link vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/105139

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/b8da751fc0ca949534cdf2744111da6bb0349d2798fac94b0a50f330%40%3Cannounce.apache.org%3E

Broken Link vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1041503

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/b8ef29df0f1d55aa741170748352ae8e425c7b1d286b2f257711a2dd%40%3Cdev.creadur.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/b907e70bc422905d7962fd18f863f746bf7b4e7ed9da25c148580c61%40%3Cnotifications.commons.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/f28052d04cb8dbaae39bfd3dc8438e58c2a8be306a3f381f4728d7c1%40%3Ccommits.commons.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/f9cdd32af7d73e943452167d15801db39e8130409ebb9efb243b3f41%40%3Ccommits.tinkerpop.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/e3eae9e6fc021c4c22dda59a335d21c12eecab480b48115a2f098ef6%40%3Ccommits.tinkerpop.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/35f60d6d0407c13c39411038ba1aca71d92595ed7041beff4d07f2ee%40%3Ccommits.tinkerpop.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/6c79965066c30d4e330e04d911d3761db41b82c89ae38d9a6b37a6f1%40%3Cdev.tinkerpop.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/714c6ac1b1b50f8557e7342903ef45f1538a7bc60a0b47d6e48c273d%40%3Ccommits.tinkerpop.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/c7954dc1e8fafd7ca1449f078953b419ebf8936e087f235f3bd024be%40%3Ccommits.tinkerpop.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/eeecc1669242b28a3777ae13c68b376b0148d589d3d8170340d61120%40%3Cdev.tinkerpop.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/0adb631517766e793e18a59723e2df08ced41eb9a57478f14781c9f7%40%3Cdev.tinkerpop.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/3565494c263dfeb4dcb2a71cb24d09a1ca285cd6ac74edc025a3af8a%40%3Ccommits.tinkerpop.apache.org%3E

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpujan2022.html

Scores

CVSS v3 5.5

EPSS 0.0112

EPSS Percentile 78.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Details

CWE

CWE-835

Status published

Products (3)

apache/commons_compress 1.7.0 - 1.17.0

oracle/weblogic_server 14.1.1.0.0

org.apache.commons/commons-compress 1.7 - 1.18Maven

Published Aug 16, 2018

Tracked Since Feb 18, 2026