Allele Security Alert
Zip Bomb Vulnerability
ClamAV versions before 0.101.4
ClamAV version 0.101.4
Proof of concept
ClamAV versions prior to 0.101.4 are susceptible to a zip bomb vulnerability where an unauthenticated attacker can cause a denial of service condition by sending crafted messages to an affected system.
ClamAV 0.101.3 security patch release and 0.102.0-beta have been published
ClamAV 0.101.4 security patch release has been published
ZIP bomb causes extreme CPU spikes
Adds –max-scantime clamscan option and MaxScanTime clamd config option.
Adds detection and heuristic alert for zips with overlapping files, preventing extraction of non-recursive zip bombs.
clamav: denial of service through “better zip bomb”
A better zip bomb
CVE-2019-12625 | SUSE
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: December 8, 2019