The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.

The version of Atlassian Confluence Server running on the remote host is affected by a vulnerability as referenced in the CONFSERVER-96099 advisory.

  - The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an     infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an     attacker can choose the file names inside of an archive created by Compress. (CVE-2019-12402)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Oracle JDeveloper installed on the remote host is prior to 12.2.1.4.0. It is, therefore, affected by multiple vulnerabilities as referenced in the July 2021 CPU advisory:

  - Vulnerability in the Essbase product of Oracle Essbase (component: Infrastructure (Apache Commons Compress)). The     supported version that is affected is 21.2. Easily exploitable vulnerability allows low privileged attacker with     access to the physical communication segment attached to the hardware where the Essbase executes to compromise     Essbase. Successful attacks require human interaction from a person other than the attacker. Successful attacks of     this vulnerability can result in unauthorized update, insert or delete access to some of Essbase accessible data     and unauthorized ability to cause a partial denial of service (partial DOS) of Essbase. (CVE-2019-12402)

  - Vulnerability in the Oracle JDeveloper and ADF product of Oracle Fusion Middleware (component: OAM (Apache POI)).     The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows low privileged     attacker with logon to the infrastructure where Oracle JDeveloper and ADF executes to compromise Oracle JDeveloper     and ADF. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete     access to all Oracle JDeveloper and ADF accessible data. (CVE-2019-12415)

  - Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Application     Service Level Mgmt (dom4j)). The supported version that is affected is 13.4.0.0. Easily exploitable vulnerability      allows unauthenticated attacker with network access via HTTP to compromise Enterprise Manager Base Platform.     Successful attacks of this vulnerability can result in takeover of Enterprise Manager Base Platform.     (CVE-2020-10683)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version   number.

The version of Oracle WebCenter Portal installed on the remote host is missing a security patch from the January 2021 Critical Patch Update (CPU). It is, therefore, affected by the following vulnerabilities:

  - Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework   (Apache Commons Compress)). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable   vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Portal.   Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently   repeatable crash (complete DOS) of Oracle WebCenter Portal (CVE-2019-12402).

  - Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework   (Netty)). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows   unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Portal. Successful attacks of   this vulnerability can result in takeover of Oracle WebCenter Portal (CVE-2020-11612). 

  - Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework   (Apache Tika)). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability    allows unauthenticated attacker with logon to the infrastructure where Oracle WebCenter Portal executes to    compromise Oracle WebCenter Portal. Successful attacks require human interaction from a person other than the    attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently   repeatable crash (complete DOS) of Oracle WebCenter Portal (CVE-2020-9489).

Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the version of JFrog Artifactory installed on the remote host is prior to 6.23.0. It is, therefore, affected by multiple vulnerabilities:

  - The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation. (CVE-2017-18640)

  - The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite     loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose     the file names inside of an archive created by Compress. (CVE-2019-12402)

  - The OpenID client application in Atlassian Crowd before version 3.6.2, and from version 3.7.0 before 3.7.1     allows remote attackers to perform a Denial of Service attack via an XML Entity Expansion vulnerability. (CVE-2019-20104)

  - Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the     httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time. (CVE-2020-15586)

  - PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE,     an attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain     authorization to the protected resource. (CVE-2020-7692)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of WebLogic Server installed on the remote host is affected by multiple vulnerabilities as referenced in the January 2021 CPU advisory.

  - An unspecified vulnerability exists in the Core component. An unauthenticated, remote attacker with     network access via IIOP, T3 can exploit this issue to compromise the server. Successful attacks of this     vulnerability can result in takeover of Oracle WebLogic Server. (CVE-2021-2108)

  - An unspecified vulnerability exists in the Console component. An authenticated, remote attacker with     network access via HTTP can exploit this issue to compromise the server. Successful attacks of this     vulnerability can result in takeover of Oracle WebLogic Server. (CVE-2021-2109)

  - An unspecified vulnerability exists in the Samples component. An unauthenticated, remote attacker with     network access via IIOP, T3 can exploit this issue to compromise the server. Successful attacks of this     vulnerability can result in takeover of Oracle WebLogic Server. (CVE-2021-2075)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version   number.

According to its self-reported version number, the version of JFrog Artifactory installed on the remote host is prior to 7.10.1. It is, therefore, affected by multiple vulnerabilities:

  - Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may     allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when     unmarshaling XML or any supported format. e.g. JSON. (CVE-2013-7285)

  - Multiple XML external entity (XXE) vulnerabilities in the Dom4JDriver, DomDriver, JDomDriver, JDom2Driver, SjsxpDriver,     StandardStaxDriver, and WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files     via a crafted XML document. (CVE-2016-3674)

  - XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance     of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by     an xstream.fromXML call. (CVE-2017-7957)

  - The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite     loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose     the file names inside of an archive created by Compress. (CVE-2019-12402)

  - The OpenID client application in Atlassian Crowd before version 3.6.2, and from version 3.7.0 before 3.7.1     allows remote attackers to perform a Denial of Service attack via an XML Entity Expansion vulnerability. (CVE-2019-20104)

  - Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the     httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time. (CVE-2020-15586)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by the following vulnerabilities as referenced in the April 2020 CPU advisory:

  - In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows     suppressing the ability for an attacker to access the classloader via the class property available on all     Java objects. However, this characteristic of the PropertyUtilsBean was not used by default.
    (CVE-2019-10086)

  - The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an     infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an     attacker can choose the file names inside of an archive created by Compress. (CVE-2019-12402)

  - A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default     Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and     the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint     to access, it is possible to make the service execute a malicious payload. This issue exists because of     com.p6spy.engine.spy.P6DataSource mishandling. (CVE-2019-16943)

  - Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which     could result in an application crash (potential information disclosure) or a potential authentication     bypass. (CVE-2019-17195)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Update to version 1.19.

Resolves CVE-2019-12402.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
202626	Atlassian Confluence < 7.19.25 / 8.5.x < 8.5.12 / 8.9.x < 8.9.4 (CONFSERVER-96099)	Nessus	CGI abuses	high
152033	Oracle JDeveloper XXE (July 2021 CPU)	Nessus	Misc.	critical
148925	Oracle WebCenter Portal Multiple Vulnerabilities (Apr 2021 CPU)	Nessus	Misc.	high
147722	JFrog < 6.23.0 Multiple Vulnerabilities	Nessus	Misc.	critical
145264	Oracle WebLogic Server Multiple Vulnerabilities (Jan 2021 CPU)	Nessus	Misc.	critical
144307	JFrog < 7.10.1 Multiple Vulnerabilities	Nessus	Misc.	critical
135583	Oracle Primavera Gateway (Apr 2020 CPU)	Nessus	CGI abuses	critical
130323	Fedora 31 : apache-commons-compress (2019-da0eac1eb6)	Nessus	Fedora Local Security Checks	high
130318	Fedora 30 : apache-commons-compress (2019-c96a8d12b0)	Nessus	Fedora Local Security Checks	high

Detections

Analytics

CVE-2019-12402

high

Tenable Plugins

high

critical

high

critical

critical

critical

critical

high

high