CVE-2021-35515: When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used…

high7.5CVSS 3.1

AVNACLPRNUINSUCNINAH

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Affected

46 ranges· showing 25

Vendor	Product	Version range	Fixed in
apache	commons_compress	1.6 – 1.20	—
apache_software_foundation	apache_commons_compress	>= 1.6 < Apache Commons Compress*	Apache Commons Compress*
atlassian	confluence_data_center	—	—
debian	libcommons-compress-java	< libcommons-compress-java 1.21-1 (bookworm)	libcommons-compress-java 1.21-1 (bookworm)
oracle	banking_digital_experience	—	—
oracle	banking_digital_experience	—	—
oracle	banking_digital_experience	—	—
oracle	banking_digital_experience	18.1 – 18.3	—
oracle	banking_enterprise_default_management	—	—
oracle	banking_party_management	—	—
oracle	banking_payments	—	—
oracle	banking_trade_finance	—	—
oracle	banking_treasury_management	—	—
oracle	business_process_management_suite	—	—
oracle	business_process_management_suite	—	—
oracle	commerce_guided_search	—	—
oracle	communications_billing_and_revenue_management	—	—
oracle	communications_cloud_native_core_automated_test_suite	—	—
oracle	communications_cloud_native_core_service_communication_proxy	—	—
oracle	communications_cloud_native_core_unified_data_repository	—	—
oracle	communications_diameter_intelligence_hub	8.0.0 – 8.2.3	—
oracle	communications_messaging_server	—	—
oracle	communications_session_route_manager	8.0.0 – 8.2.5	—
oracle	financial_services_crime_and_compliance_management_studio	—	—
oracle	financial_services_crime_and_compliance_management_studio	—	—

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

osv7.5HIGH