Apache Commons Collections Uncontrolled Recursion Vulnerability Cx78f40514-81ffIssue date: 21-09-2022
Affects versions: 15.1, 14.7, 13.4
Security Issue ID
Affected Product Version(s)
15.1.0, 14.7.8, 13.4.18, and all previous versions
The framework Apache Commons Collections before 4.3 is vulnerable to Stack Overflow. The function add() in the file src/main/java/org/apache/commons/collections4/list/SetUniqueList.java throws a StackOverflowError when the add() method is called with its own list.
The problem has been recognized and patched. The fix is available in version 4.3.0
Currently there is no version to fix this vulnerability. Since the fix would cause backwards compatibility issues that are worse than the potential vulnerability here, the plan is to fix it in next major version.