2316271 – (CVE-2024-47554) CVE-2024-47554 apache-commons-io: Possible denial of service attack on untrusted input to XmlStreamReader

Bug 2316271 (CVE-2024-47554) - CVE-2024-47554 apache-commons-io: Possible denial of service attack on untrusted input to XmlStreamReader

Summary: CVE-2024-47554 apache-commons-io: Possible denial of service attack on untrus...

Keywords:
Status:	NEW
Alias:	CVE-2024-47554
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2316397 2316398
Blocks:
TreeView+	depends on / blocked

Reported:	2024-10-03 12:01 UTC by OSIDB Bzimport
Modified:	2026-06-01 08:29 UTC (History)
CC List:	111 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:9571	None	None	None	2024-11-13 16:21:11 UTC
Red Hat Product Errata	RHSA-2025:2416	None	None	None	2025-03-05 20:59:26 UTC
Red Hat Product Errata	RHSA-2025:4552	None	None	None	2025-10-23 22:29:53 UTC

Description OSIDB Bzimport 2024-10-03 12:01:05 UTC

Uncontrolled Resource Consumption vulnerability in Apache Commons IO.

The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input.


This issue affects Apache Commons IO: from 2.0 before 2.14.0.

Users are recommended to upgrade to version 2.14.0 or later, which fixes the issue.

Comment 1 errata-xmlrpc 2024-11-13 16:21:10 UTC

This issue has been addressed in the following products:

  Streams for Apache Kafka 2.8.0

Via RHSA-2024:9571 https://access.redhat.com/errata/RHSA-2024:9571

Comment 3 errata-xmlrpc 2025-03-05 20:59:23 UTC

This issue has been addressed in the following products:

  Streams for Apache Kafka 2.9.0

Via RHSA-2025:2416 https://access.redhat.com/errata/RHSA-2025:2416

Comment 6 errata-xmlrpc 2025-10-23 22:29:45 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7

Via RHSA-2025:4552 https://access.redhat.com/errata/RHSA-2025:4552

Note You need to log in before you can comment on or make changes to this bug.

aazores
abrianik
adupliak
amctagga
anstephe
aoconnor
aschwart
asoldano
ataylor
avibelli
bbaranow
bgeorges
bihu
bmaxwell
bniver
boliveir
brian.stansberry
ccranfor
chfoley
clement.escoffier
cmah
cmiranda
csutherl
dandread
darran.lofthouse
dbruscin
dhanak
dkreling
dosoudil
drichtar
drosa
dsoumis
eaguilar
ebaron
eric.wittmann
flucifre
fmariani
fmongiar
ggrzybek
gmalinko
gmeno
gsmet
ibek
istudens
ivassile
iweiss
janstey
jclere
jkoops
jmartisk
jnethert
jolong
jpechane
jpoth
jrokos
kvanderr
kverlaen
lthon
manderse
mbenjamin
mhackett
mnovotny
mosmerov
mposolda
msochure
msvehla
nipatil
nwallace
olubyans
pantinor
parichar
pberan
pbizzarr
pcongius
pdelbell
pdrozd
peholase
pesilva
pgallagh
pjindal
plodge
pmackay
porcelli
probinso
pskopek
rguimara
rkieley
rkubis
rmartinc
rmaucher
rowaters
rruss
rstancel
rstepani
rsvoboda
sausingh
sbiarozk
sfroberg
smaestri
sostapov
ssilvert
sthorger
swoodman
szappis
tasato
tcunning
tom.jenkinson
tqvarnst
vereddy
vmuzikar
yfang