Bug 2316271 (CVE-2024-47554) - CVE-2024-47554 apache-commons-io: Possible denial of service attack on untrusted input to XmlStreamReader
Summary: CVE-2024-47554 apache-commons-io: Possible denial of service attack on untrus...
Keywords:
Status: NEW
Alias: CVE-2024-47554
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2316397 2316398
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-10-03 12:01 UTC by OSIDB Bzimport
Modified: 2025-05-02 15:20 UTC (History)
111 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:9571 0 None None None 2024-11-13 16:21:11 UTC
Red Hat Product Errata RHSA-2025:2416 0 None None None 2025-03-05 20:59:26 UTC

Description OSIDB Bzimport 2024-10-03 12:01:05 UTC 
Uncontrolled Resource Consumption vulnerability in Apache Commons IO.

The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input.


This issue affects Apache Commons IO: from 2.0 before 2.14.0.

Users are recommended to upgrade to version 2.14.0 or later, which fixes the issue.
Comment 1 errata-xmlrpc 2024-11-13 16:21:10 UTC 
This issue has been addressed in the following products:

  Streams for Apache Kafka 2.8.0

Via RHSA-2024:9571 https://access.redhat.com/errata/RHSA-2024:9571
Comment 3 errata-xmlrpc 2025-03-05 20:59:23 UTC 
This issue has been addressed in the following products:

  Streams for Apache Kafka 2.9.0

Via RHSA-2025:2416 https://access.redhat.com/errata/RHSA-2025:2416
Note You need to log in before you can comment on or make changes to this bug.