Security Bulletin: Vulnerability in commons-compress affects IBM Cloud Pak for Data System 1.0(CPDS 1.0)[CVE-2024-25710, CVE-2024-26308].

The commons-compress package is used by IBM Cloud Pak for Data System 1.0. IBM Cloud Pak for Data System 1.0 has addressed the applicable CVE [CVE-2024-25710, CVE-2024-26308].

## Vulnerability Details

**CVEID:**CVE-2024-25710
**DESCRIPTION:** Loop with Unreachable Exit Condition (‘Infinite Loop’) vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0. Users are recommended to upgrade to version 1.26.0 which fixes the issue.
**CWE:**CWE-835: Loop with Unreachable Exit Condition (‘Infinite Loop’)
**CVSS Source:** IBM X-Force
**CVSS Base score:** 5.5
**CVSS Vector:**(CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2024-26308
**DESCRIPTION:** Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26. Users are recommended to upgrade to version 1.26, which fixes the issue.
**CWE:**CWE-770: Allocation of Resources Without Limits or Throttling
**CVSS Source:** IBM X-Force
**CVSS Base score:** 5.5
**CVSS Vector:**(CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

## Affected Products and Versions

Affected Product(s)| Version(s)
—|—
IBM Cloud Pak for Data System 1.0| 1.0.0.0- 1.0.8.4

## Remediation/Fixes

**IBM strongly recommends addressing the vulnerability now by upgrading to latest version.**

**Product**| **VRMF**| **Remediation/First Fix**
—|—|—
IBM Cloud Pak for Data System 1.0| 1.0.9.0| Link to Fix Central

## Workarounds and Mitigations

None

##