CVE-2024-47554

Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are recommended to upgrade to version 2.14.0 or later, which fixes the issue.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1	Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/10/03/2	Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20250131-0010/	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:commons_io:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::linux::
	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::
	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::windows::
	cpe:2.3:a:netapp:bluexp:-:::::::*
	cpe:2.3:a:netapp:e-series_santricity_unified_manager:-:::::::*
	cpe:2.3:a:netapp:e-series_santricity_web_services_proxy:-:::::::*
	cpe:2.3:a:netapp:ontap_tools:9:::::vmware_vsphere::
	cpe:2.3:a:netapp:ontap_tools:10:::::vmware_vsphere::
	cpe:2.3:a:netapp:santricity_storage_plugin:-:::::vcenter::
	cpe:2.3:a:netapp:snapcenter:-:::::::*

History

No history.

Information

Published : 2024-10-03 12:15

Updated : 2025-07-10 21:10

NVD link : CVE-2024-47554

Mitre link : CVE-2024-47554

CVE.ORG link : CVE-2024-47554

JSON object : View

Products Affected

netapp

e-series_santricity_unified_manager
santricity_storage_plugin
snapcenter
ontap_tools
bluexp
e-series_santricity_web_services_proxy
active_iq_unified_manager

apache

commons_io

CWE

CWE-400

Uncontrolled Resource Consumption

{"id": "CVE-2024-47554", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2024-10-03T12:15:02.613", "references": [{"url": "https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1", "tags": ["Mailing List", "Vendor Advisory"], "source": "[email protected]"}, {"url": "http://www.openwall.com/lists/oss-security/2024/10/03/2", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.netapp.com/advisory/ntap-20250131-0010/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-400"}]}], "descriptions": [{"lang": "en", "value": "Uncontrolled Resource Consumption vulnerability in Apache Commons IO.\n\nThe org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input.\n\n\nThis issue affects Apache Commons IO: from 2.0 before 2.14.0.\n\nUsers are recommended to upgrade to version 2.14.0 or later, which fixes the issue."}, {"lang": "es", "value": "Vulnerabilidad de consumo descontrolado de recursos en Apache Commons IO. La clase org.apache.commons.io.input.XmlStreamReader puede consumir recursos de CPU en exceso al procesar una entrada manipulada con fines malintencionados. Este problema afecta a Apache Commons IO: desde la versi\u00f3n 2.0 hasta la 2.14.0. Se recomienda a los usuarios que actualicen a la versi\u00f3n 2.14.0 o posterior, que soluciona el problema."}], "lastModified": "2025-07-10T21:10:32.113", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:commons_io:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "133FC9D6-82C4-40E3-AB39-FE04E5A0BF4D", "versionEndExcluding": "2.14.0", "versionStartIncluding": "2.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*", "vulnerable": true, "matchCriteriaId": "F3E0B672-3E06-4422-B2A4-0BD073AEC2A1"}, {"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", "vulnerable": true, "matchCriteriaId": "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5"}, {"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*", "vulnerable": true, "matchCriteriaId": "B55E8D50-99B4-47EC-86F9-699B67D473CE"}, {"criteria": "cpe:2.3:a:netapp:bluexp:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FC1AE8BD-EE3F-494C-9F03-D4B2B7233106"}, {"criteria": "cpe:2.3:a:netapp:e-series_santricity_unified_manager:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BB695329-036B-447D-BEB0-AA4D89D1D99C"}, {"criteria": "cpe:2.3:a:netapp:e-series_santricity_web_services_proxy:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "23F148EC-6D6D-4C4F-B57C-CFBCD3D32B41"}, {"criteria": "cpe:2.3:a:netapp:ontap_tools:9:*:*:*:*:vmware_vsphere:*:*", "vulnerable": true, "matchCriteriaId": "C2D814BE-93EC-42EF-88C5-EA7E7DF07BE5"}, {"criteria": "cpe:2.3:a:netapp:ontap_tools:10:*:*:*:*:vmware_vsphere:*:*", "vulnerable": true, "matchCriteriaId": "5333B745-F7A3-46CB-8437-8668DB08CD6F"}, {"criteria": "cpe:2.3:a:netapp:santricity_storage_plugin:-:*:*:*:*:vcenter:*:*", "vulnerable": true, "matchCriteriaId": "82E94B87-065E-475F-815C-F49978CE22FC"}, {"criteria": "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BDFB1169-41A0-4A86-8E4F-FDA9730B1E94"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}