POC详情: c7744d96dcb902640295afd1a014fd73b21c4b4b

来源
https://github.com/crazycatMyopic/cve
关联漏洞
标题: Apache Commons Compress 安全漏洞 (CVE-2024-26308)
描述:Apache Commons Compress是美国阿帕奇(Apache)基金会的一个用于处理压缩文件的库。 Apache Commons Compress 1.21版本至1.26之前版本存在安全漏洞,该漏洞源于资源分配无限制。
描述
Docker Deskop giving issue CVE-2024-26308 for maven [reproduce]
介绍
#CVE

## Problem statement: [Stackoverflow](https://stackoverflow.com/questions/78857964/docker-deskop-giving-issue-cve-2024-26308-for-maven)

I'm trying to build by project in Docker, So i'm using Docker Desktop to build my project,
when i build the image i get this as one of my vulnerabilities
```
CVE-2024-26308
CWE-770
7.5
H
Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.21 before 1.26. Users are recommended to upgrade to version 1.26, which fixes the issue.
CVSS Score:	7.5
CVSS Vector:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected range:	>=1.21,<1.26.0
Fix version:	1.26.0
Publish date:	2024-02-19
``` 

I would like to fix this, but when i read the bug it say it's due to `org.apache.commons`, but i don't have it in my dependency, i try running `mvn help:effective-pom` and ` mvn dependency:tree -Dverbose` and i still did not find it.
What could be the cause of it and how can i fix it?
---------------------------------------

### Requirement

- Java 17
- maven
- Docker Desktop

### RUN

command to run
```
 docker build --target run -t build_run .
```

### Snapshot


![snapsho](https://github.com/user-attachments/assets/237d6699-1594-4ceb-8726-c8c44a8602bb)
文件快照

 [4.0K]  /data/pocs/c7744d96dcb902640295afd1a014fd73b21c4b4b
├── [ 353]  Dockerfile
├── [4.0K]  m1
│   ├── [1.0K]  pom.xml
│   └── [4.0K]  src
│       ├── [4.0K]  main
│       │   └── [4.0K]  java
│       │       └── [4.0K]  org
│       │           └── [4.0K]  example
│       │               └── [ 155]  Application.java
│       └── [4.0K]  test
│           └── [4.0K]  java
│               └── [4.0K]  org
│                   └── [4.0K]  example
│                       └── [ 234]  ApplicationTest.java
├── [4.0K]  m2
│   ├── [2.2K]  pom.xml
│   └── [4.0K]  src
│       ├── [4.0K]  main
│       │   └── [4.0K]  java
│       │       └── [4.0K]  org
│       │           └── [4.0K]  example
│       │               └── [ 155]  Application.java
│       └── [4.0K]  test
│           └── [4.0K]  java
│               └── [4.0K]  org
│                   └── [4.0K]  example
│                       └── [ 234]  ApplicationTest.java
├── [1.5K]  pom.xml
└── [1.3K]  README.md

20 directories, 9 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。