(commons-io) branch master updated: Document CVE-2024-47554 for version 2.0 before 2.14.0

ggregory Wed, 11 Jun 2025 07:29:13 -0700

This is an automated email from the ASF dual-hosted git repository.

ggregory pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-io.git



The following commit(s) were added to refs/heads/master by this push:
     new 7f7a0515e Document CVE-2024-47554 for version 2.0 before 2.14.0
7f7a0515e is described below

commit 7f7a0515e9cb4062f1fd8159152abd9785aca926
Author: Gary Gregory <garydgreg...@gmail.com>
AuthorDate: Wed Jun 11 10:29:01 2025 -0400

    Document CVE-2024-47554 for version 2.0 before 2.14.0
---
 src/site/xdoc/security.xml | 55 +++++++++++++++++++++++-----------------------
 1 file changed, 28 insertions(+), 27 deletions(-)

diff --git a/src/site/xdoc/security.xml b/src/site/xdoc/security.xml
index 8f27e4641..90e0d19e8 100644
--- a/src/site/xdoc/security.xml
+++ b/src/site/xdoc/security.xml
@@ -1,24 +1,10 @@
 <?xml version="1.0"?>
-<!--
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements.  See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership.  The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License.  You may obtain a copy of the License at
-
-   https://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied.  See the License for the
- specific language governing permissions and limitations
- under the License.
--->
-<document xmlns="http://maven.apache.org/XDOC/2.0";
-  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
+<!-- Licensed to the Apache Software Foundation (ASF) under one or more 
contributor license agreements. See the NOTICE file distributed with this work 
for additional information regarding 
+  copyright ownership. The ASF licenses this file to you under the Apache 
License, Version 2.0 (the "License"); you may not use this file except in 
compliance with the License. You may 
+  obtain a copy of the License at https://www.apache.org/licenses/LICENSE-2.0 
Unless required by applicable law or agreed to in writing, software distributed 
under the License is distributed 
+  on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either 
express or implied. See the License for the specific language governing 
permissions and limitations under the 
+  License. -->
+<document xmlns="http://maven.apache.org/XDOC/2.0"; 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
   xsi:schemaLocation="http://maven.apache.org/XDOC/2.0 
https://maven.apache.org/xsd/xdoc-2.0.xsd";>
   <properties>
     <title>Apache Commons Security Reports</title>
@@ -28,24 +14,39 @@
     <section name="About Security">
       <p>
         For information about reporting or asking questions about security, 
please see
-        <a href="https://commons.apache.org/security.html";>Apache Commons 
Security</a>.
+        <a href="https://commons.apache.org/security.html";>Apache Commons 
Security</a>
+        .
       </p>
-      <p>This page lists all security vulnerabilities fixed in released 
versions of this component. 
+      <p>This page lists all security vulnerabilities fixed in released 
versions of this component.
       </p>
       <p>Please note that binary patches are never provided. If you need to 
apply a source code patch, use the building instructions for the component 
version
-        that you are using. 
+        that you are using.
       </p>
       <p>
         If you need help on building this component or other help on following 
the instructions to mitigate the known vulnerabilities listed here, please send
-        your questions to the public
-        <a href="mail-lists.html">user mailing list</a>.
+        your questions to the
+        public
+        <a href="mail-lists.html">user mailing list</a>
+        .
       </p>
       <p>If you have encountered an unlisted security vulnerability or other 
unexpected behavior that has security impact, or if the descriptions here are
-        incomplete, please report them privately to the Apache Security Team. 
Thank you. 
+        incomplete, please report
+        them privately to the Apache Security Team. Thank you.
       </p>
     </section>
     <section name="Security Vulnerabilities">
-      <p>None.</p>
+      <subsection name="CVE-2024-47554">
+        <ul>
+          <li>CVE-2024-47554: Uncontrolled Resource Consumption vulnerability 
in Apache Commons IO.</li>
+          <li>Severity: Low</li>
+          <li>Vendor: The Apache Software Foundation</li>
+          <li>Versions Affected: Apache Commons IO 2.0 before 2.14.0.</li>
+          <li>Description: The org.apache.commons.io.input.XmlStreamReader 
class may excessively consume CPU resources when processing maliciously crafted 
input.
+          </li>
+          <li>Mitigation: Users are recommended to upgrade to version 2.14.0 
or later, which fixes the issue.</li>
+          <li>Credit: CodeQL (tool).</li>
+        </ul>
+      </subsection>
     </section>
   </body>
 </document>

(commons-io) branch master updated: Document CVE-2024-47554 for version 2.0 before 2.14.0

Reply via email to