CVE-2018-1324

MEDIUM

Apache Commons Compress 1.11-1.15 - Denial of Service via ZIP Extra Field Parser

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2018-1324. PoCs published by dawetmaster, andikahilmy, tafamace.

AI-analyzed exploit summary This repository contains the source code for Apache Commons Compress, which is the vulnerable software itself, not an exploit or PoC. It includes build and contribution guidelines but no exploit code or technical analysis of CVE-2018-1324.

Description

A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package.

Exploits (3)

nomisec STUB
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2018-1324-commons-compress-vulnerable

This repository contains the source code for Apache Commons Compress, which is the vulnerable software itself, not an exploit or PoC. It includes build and contribution guidelines but no exploit code or technical analysis of CVE-2018-1324.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Apache Commons Compress
No auth needed
Prerequisites: None
devstral-2 · analyzed Mar 14, 2026 Full analysis →
nomisec STUB
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2018-1324-commons-compress-vulnerable

This repository appears to be a fork or snapshot of the Apache Commons Compress project, specifically highlighting a vulnerable version related to CVE-2018-1324. However, it lacks any exploit code, proof-of-concept, or technical analysis of the vulnerability itself.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Apache Commons Compress (vulnerable version)
No auth needed
Prerequisites: Vulnerable version of Apache Commons Compress
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec STUB
by tafamace · poc
https://github.com/tafamace/CVE-2018-1324

The provided code is a simple Java stub that prints command-line arguments and does not demonstrate any exploit functionality. It lacks any offensive techniques or vulnerability-specific logic.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: N/A
No auth needed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1040549
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/103490
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2022.html

Scores

CVSS v3 5.5
EPSS 0.0151
EPSS Percentile 81.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Details

CWE
CWE-835
Status published
Products (6)
apache/commons_compress 1.11 - 1.15
com.liferay/com.liferay.portal.tools.bundle.support 3.2.7 - 3.7.4Maven
io.takari/commons-compress Maven
oracle/mysql_cluster < 7.4.34
oracle/weblogic_server 14.1.1.0.0
org.apache.commons/commons-compress 1.11 - 1.16Maven
Published Mar 16, 2018
Tracked Since Feb 18, 2026