{"id":"GHSA-4265-ccf5-phj5","summary":"Apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file","details":"Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.21 before 1.26.\n\nUsers are recommended to upgrade to version 1.26, which fixes the issue.","aliases":["CVE-2024-26308"],"modified":"2026-01-30T00:39:11.620262Z","published":"2024-02-19T09:30:52Z","related":["CGA-f856-5ccw-92g2"],"database_specific":{"cwe_ids":["CWE-770"],"nvd_published_at":"2024-02-19T09:15:38Z","github_reviewed_at":"2024-02-20T23:59:29Z","severity":"MODERATE","github_reviewed":true},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26308"},{"type":"PACKAGE","url":"https://github.com/apache/commons-compress"},{"type":"WEB","url":"https://lists.apache.org/thread/ch5yo2d21p7vlqrhll9b17otbyq4npfg"},{"type":"WEB","url":"https://security.netapp.com/advisory/ntap-20240307-0009"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2024/02/19/2"}],"affected":[{"package":{"name":"org.apache.commons:commons-compress","ecosystem":"Maven","purl":"pkg:maven/org.apache.commons/commons-compress"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"1.21"},{"fixed":"1.26.0"}]}],"versions":["1.21","1.22","1.23.0","1.24.0","1.25.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-4265-ccf5-phj5/GHSA-4265-ccf5-phj5.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}]}