CVE-2019-12402 [High] | Denial of Service in Commons Compress

CVE-2019-12402 is rated High Risk (68.8/100): CVSS High severity, with high exploitation likelihood (EPSS 16.16%, 97th percentile). EPSS ranks this CVE among the most likely to be exploited in the near term. EPSS rose +15.78% over the last day, indicating growing attacker interest. High exploitation likelihood—assess exposure and prioritize remediation.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	0.38%	16.16%	+15.78%
2	2025-11-21	4.95%	0.38%	-4.57%
3	2025-11-18	—	4.95%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

0.38%

16.16%

+15.78%

2025-11-21

4.95%

0.38%

-4.57%

2025-11-18

—

4.95%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
7.5	3.1	HIGH	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	3.9	3.6	[email protected]
5.0	2.0	MEDIUM	`AV:N/AC:L/Au:N/C:N/I:N/A:P` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:L) Exploitation conditions are straightforward and predictable. Authentication (AU:N) No authentication is required. Confidentiality impact (C:N) No confidentiality impact. Integrity impact (I:N) No integrity impact. Availability impact (A:P) Partial availability impact.	10.0	2.9	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

7.5

3.1

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N): Doesn’t really leak secrets in a meaningful way.
Integrity (I:N): Data isn’t meaningfully altered or forged.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

3.9

3.6

[email protected]

5.0

2.0

MEDIUM

AV:N/AC:L/Au:N/C:N/I:N/A:P Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:L): Exploitation conditions are straightforward and predictable.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:N): No confidentiality impact.
Integrity impact (I:N): No integrity impact.
Availability impact (A:P): Partial availability impact.

10.0

2.9

[email protected]

OS Trackers for CVE-2019-12402

vendor	priority	summary	link
`debian`	low	CVE-2019-12402 low priority: Debian including 1 source packages (libcommons-compress-java), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2019-12402
`redhat`	high	—	https://access.redhat.com/security/cve/CVE-2019-12402
`ubuntu`	medium	CVE-2019-12402 medium priority: Ubuntu including 1 source packages (libcommons-compress-java), 18 status rows across 18 suites (bionic, disco, eoan, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): not-affected 14, DNE 1, ignored 1, needed 1, released 1.	https://ubuntu.com/security/CVE-2019-12402

Affected software / configurations for CVE-2019-12402

Vendor	Product	Version	Raw CPE
apache	commons_compress	>= 1.15, <= 1.18	cpe:2.3:a:apache:commons_compress::::::::
fedoraproject	fedora	30	cpe:2.3:o:fedoraproject:fedora:30:::::::*
fedoraproject	fedora	31	cpe:2.3:o:fedoraproject:fedora:31:::::::*
oracle	banking_payments	>= 14.1.0, <= 14.4.0	cpe:2.3:a:oracle:banking_payments::::::::
oracle	banking_platform	2.6.2	cpe:2.3:a:oracle:banking_platform:2.6.2:::::::*
oracle	banking_platform	2.7.0	cpe:2.3:a:oracle:banking_platform:2.7.0:::::::*
oracle	banking_platform	2.8.0	cpe:2.3:a:oracle:banking_platform:2.8.0:::::::*
oracle	banking_platform	2.9.0	cpe:2.3:a:oracle:banking_platform:2.9.0:::::::*
oracle	communications_element_manager	>= 8.2.0, <= 8.2.2	cpe:2.3:a:oracle:communications_element_manager::::::::
oracle	communications_ip_service_activator	7.3.0	cpe:2.3:a:oracle:communications_ip_service_activator:7.3.0:::::::*
oracle	communications_ip_service_activator	7.4.0	cpe:2.3:a:oracle:communications_ip_service_activator:7.4.0:::::::*
oracle	communications_session_report_manager	>= 8.2.0, <= 8.2.2	cpe:2.3:a:oracle:communications_session_report_manager::::::::
oracle	communications_session_route_manager	>= 8.2.0, <= 8.2.2	cpe:2.3:a:oracle:communications_session_route_manager::::::::
oracle	customer_management_and_segmentation_foundation	18.0	cpe:2.3:a:oracle:customer_management_and_segmentation_foundation:18.0:::::::*
oracle	essbase	21.2	cpe:2.3:a:oracle:essbase:21.2:::::::*
oracle	flexcube_investor_servicing	12.1.0	cpe:2.3:a:oracle:flexcube_investor_servicing:12.1.0:::::::*
oracle	flexcube_investor_servicing	12.3.0	cpe:2.3:a:oracle:flexcube_investor_servicing:12.3.0:::::::*
oracle	flexcube_investor_servicing	12.4.0	cpe:2.3:a:oracle:flexcube_investor_servicing:12.4.0:::::::*
oracle	flexcube_investor_servicing	14.0.0	cpe:2.3:a:oracle:flexcube_investor_servicing:14.0.0:::::::*
oracle	flexcube_investor_servicing	14.1.0	cpe:2.3:a:oracle:flexcube_investor_servicing:14.1.0:::::::*
oracle	flexcube_private_banking	12.0.0	cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:::::::*
oracle	flexcube_private_banking	12.1.0	cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:::::::*
oracle	hyperion_infrastructure_technology	11.1.2.4	cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.1.2.4:::::::*
oracle	jdeveloper	12.2.1.4.0	cpe:2.3:a:oracle:jdeveloper:12.2.1.4.0:::::::*
oracle	peoplesoft_enterprise_pt_peopletools	8.56	cpe:2.3:a:oracle:peoplesoft_enterprise_pt_peopletools:8.56:::::::*
oracle	peoplesoft_enterprise_pt_peopletools	8.57	cpe:2.3:a:oracle:peoplesoft_enterprise_pt_peopletools:8.57:::::::*
oracle	peoplesoft_enterprise_pt_peopletools	8.58	cpe:2.3:a:oracle:peoplesoft_enterprise_pt_peopletools:8.58:::::::*
oracle	primavera_gateway	>= 18.8.0, <= 18.8.8	cpe:2.3:a:oracle:primavera_gateway::::::::
oracle	primavera_gateway	19.12.0	cpe:2.3:a:oracle:primavera_gateway:19.12.0:::::::*
oracle	retail_integration_bus	15.0	cpe:2.3:a:oracle:retail_integration_bus:15.0:::::::*
oracle	retail_integration_bus	16.0	cpe:2.3:a:oracle:retail_integration_bus:16.0:::::::*
oracle	retail_xstore_point_of_service	15.0	cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:::::::*
oracle	retail_xstore_point_of_service	16.0	cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:::::::*
oracle	retail_xstore_point_of_service	17.0	cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:::::::*
oracle	retail_xstore_point_of_service	18.0	cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0:::::::*
oracle	retail_xstore_point_of_service	19.0	cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0:::::::*
oracle	webcenter_portal	12.2.1.3.0	cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:::::::*
oracle	webcenter_portal	12.2.1.4.0	cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:::::::*

URL	Tags
https://lists.apache.org/thread.html/308cc15f1f1dc53e97046fddbac240e6cd16de89a2746cf257be7f5b%40%3Cdev.commons.apache.org%3E
https://lists.apache.org/thread.html/54cc4e9fa6b24520135f6fa4724dfb3465bc14703c7dc7e52353a0ea%40%3Ccommits.creadur.apache.org%3E
https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
https://lists.apache.org/thread.html/r05cf37c1e1e662e968cfece1102fcd50fe207181fdbf2c30aadfafd3%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E
https://lists.apache.org/thread.html/r21d64797914001119d2fc766b88c6da181dc2308d20f14e7a7f46117%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r233267e24519bacd0f9fb9f61a1287cb9f4bcb6e75d83f34f405c521%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r25422df9ad22fec56d9eeca3ab8bd6d66365e9f6bfe311b64730edf5%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r4363c994c8bca033569a98da9218cc0c62bb695c1e47a98e5084e5a0%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r5103b1c9242c0f812ac96e524344144402cbff9b6e078d1557bc7b1e%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r590c15cebee9b8e757e2f738127a9a71e48ede647a3044c504e050a4%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r5caf4fcb69d2749225391e61db7216282955204849ba94f83afe011f%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/r7af60fbd8b2350d49d14e53a3ab2801998b9d1af2d6fcac60b060a53%40%3Cdev.brooklyn.apache.org%3E
https://lists.apache.org/thread.html/r972f82d821b805d04602976a9736c01b6bf218cfe0c3f48b472db488%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/rcc35ab6be300365de5ff9587e0479d10d7d7c79070921837e3693162%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/rd3f99d732baed459b425fb0a9e9e14f7843c9459b12037e4a9d753b5%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/rdebc1830d6c09c11d5a4804ca26769dbd292d17d361c61dea50915f0%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/re13bd219dd4b651134f6357f12bd07a0344eea7518c577bbdd185265%40%3Cissues.flink.apache.org%3E
https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55%40%3Csolr-user.lucene.apache.org%3E
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLJIK2AUOZOWXR3S5XXBUNMOF3RTHTI7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZB3GB7YXIOUKIOQ27VTIP6KKGJJ3CKL/
https://security.netapp.com/advisory/ntap-20230818-0001/
https://www.oracle.com//security-alerts/cpujul2021.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html	Not Applicable Third Party Advisory

URL

CVE-2019-12402

Exploit prediction scoring system (EPSS) score for CVE-2019-12402

Common vulnerability scoring system (CVSS) metrics for CVE-2019-12402

Weakness enumeration for CVE-2019-12402

GitHub Security Advisory for CVE-2019-12402

OS Trackers for CVE-2019-12402

Affected software / configurations for CVE-2019-12402

References for CVE-2019-12402