CVE-2024-47554

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-47554
Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are recommended to upgrade to version 2.14.0 or later, which fixes the issue.

4.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1 Mailing List Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/10/03/2 Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20250131-0010/ Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:commons_io:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
cpe:2.3:a:netapp:bluexp:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:e-series_santricity_unified_manager:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:e-series_santricity_web_services_proxy:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:ontap_tools:9:*:*:*:*:vmware_vsphere:*:*
cpe:2.3:a:netapp:ontap_tools:10:*:*:*:*:vmware_vsphere:*:*
cpe:2.3:a:netapp:santricity_storage_plugin:-:*:*:*:*:vcenter:*:*
cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
History

10 Jul 2025, 21:10

Type Values Removed Values Added
CPE cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*
cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:santricity_storage_plugin:-:*:*:*:*:vcenter:*:*
cpe:2.3:a:netapp:e-series_santricity_web_services_proxy:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:ontap_tools:9:*:*:*:*:vmware_vsphere:*:*
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
cpe:2.3:a:netapp:e-series_santricity_unified_manager:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
cpe:2.3:a:netapp:ontap_tools:10:*:*:*:*:vmware_vsphere:*:*
cpe:2.3:a:netapp:bluexp:-:*:*:*:*:*:*:*
cpe:2.3:a:apache:commons_io:*:*:*:*:*:*:*:*
References () https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1 - () https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1 - Mailing List, Vendor Advisory
References () http://www.openwall.com/lists/oss-security/2024/10/03/2 - () http://www.openwall.com/lists/oss-security/2024/10/03/2 - Mailing List, Third Party Advisory
References () https://security.netapp.com/advisory/ntap-20250131-0010/ - () https://security.netapp.com/advisory/ntap-20250131-0010/ - Third Party Advisory
First Time Netapp bluexp
Netapp ontap Tools
Netapp e-series Santricity Web Services Proxy
Netapp e-series Santricity Unified Manager
Netapp snapcenter
Apache commons Io
Netapp santricity Storage Plugin
Netapp
Netapp active Iq Unified Manager
Apache

31 Jan 2025, 15:15

Type Values Removed Values Added
References
  • () https://security.netapp.com/advisory/ntap-20250131-0010/ -

04 Dec 2024, 15:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 4.3

21 Nov 2024, 09:39

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2024/10/03/2 -

04 Oct 2024, 13:50

Type Values Removed Values Added
Summary
  • (es) Vulnerabilidad de consumo descontrolado de recursos en Apache Commons IO. La clase org.apache.commons.io.input.XmlStreamReader puede consumir recursos de CPU en exceso al procesar una entrada manipulada con fines malintencionados. Este problema afecta a Apache Commons IO: desde la versión 2.0 hasta la 2.14.0. Se recomienda a los usuarios que actualicen a la versión 2.14.0 o posterior, que soluciona el problema.

03 Oct 2024, 12:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-10-03 12:15

Updated : 2025-07-10 21:10

NVD link : CVE-2024-47554

Mitre link : CVE-2024-47554

CVE.ORG link : CVE-2024-47554

JSON object : View

Products Affected

netapp

  • santricity_storage_plugin
  • e-series_santricity_web_services_proxy
  • snapcenter
  • bluexp
  • ontap_tools
  • e-series_santricity_unified_manager
  • active_iq_unified_manager

apache

  • commons_io
CWE
CWE-400

Uncontrolled Resource Consumption