CVE-2023-42503: 
Java vulnerability analysis and mitigation

CVE-2023-42503 is a vulnerability affecting Apache Commons Compress in TAR parsing functionality. The issue was discovered in versions from 1.22 before 1.24.0, with users recommended to upgrade to version 1.24.0 for remediation. The vulnerability stems from improper input validation and uncontrolled resource consumption in the TAR parsing component (NVD).

The vulnerability occurs in the parsing of file modification times with higher precision in TAR files. The PAX extended headers format consists of two numbers separated by a period, indicating seconds and subsecond precision. The affected fields include 'atime', 'ctime', 'mtime', and 'LIBARCHIVE.creationtime'. The issue arises from lack of input validation prior to parsing header values, combined with the BigDecimal class's known algorithmic complexity issue when handling large numbers. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (MEDIUM) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (NVD, NetApp Advisory).

When exploited, an attacker can create a malformed TAR file by manipulating file modification times headers with either a very long fraction (300,000 digits) or a number with exponent notation. Processing these malformed files can cause operations to take hours instead of seconds, leading to a denial of service through CPU resource exhaustion (NVD).

The primary mitigation is to upgrade to Apache Commons Compress version 1.24.0, which contains the fix for this vulnerability. This issue only affects versions from 1.22 onwards, as the vulnerable code was introduced in that version (NVD).