CVE-2018-11771: Loop with Unreachable Exit Condition (Infinite Loop)

August 16, 2018 (updated October 3, 2019)

When reading a specially crafted ZIP archive, the read method of Apache Commons ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. This can lead to an infinite stream, which can be used to mount a denial of service attack against services that use compressed zip package.

References

www.securityfocus.com/bid/105139
www.securitytracker.com/id/1041503
nvd.nist.gov/vuln/detail/CVE-2018-11771

Detect and mitigate CVE-2018-11771 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →