CVE-2021-35515Excessive Iteration in Software Foundation Apache Commons Compress

CWE-834Excessive IterationCWE-835Infinite Loop9 documents8 sources
Severity
7.5HIGHNVD
EPSS
0.6%
top 30.56%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
25
Apache Software Foundation Apache Commons CompressApache Commons CompressOracle Banking Digital Experience+22 more
Timeline
PublishedJul 13
Latest updateJul 16

Description

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages25 packages

CVEListV5apache_software_foundation/apache_commons_compress1.6Apache Commons Compress*
NVDapache/commons_compress1.61.20

Patches

Patch: www.oracle.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

4
OSV
Excessive Iteration in Compress2021-08-02
GHSA
Excessive Iteration in Compress2021-08-02
OSV
CVE-2021-35515: When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop2021-07-13
CVEList
Apache Commons Compress 1.6 to 1.20 denial of service vulnerability2021-07-13

📋Vendor Advisories

4
Atlassian
CVE-2021-35515: DoS (Denial of Service) org.apache.commons:commons-compress Dependency in Confluence Data Center and Server2024-07-16
Oracle
Oracle Oracle Communications Risk Matrix: Automated Test Suite (Apache Commons Compress) — CVE-2021-355152022-04-15
Red Hat
apache-commons-compress: infinite loop when reading a specially crafted 7Z archive2021-07-13
Debian
CVE-2021-35515: libcommons-compress-java - When reading a specially crafted 7Z archive, the construction of the list of cod...2021
CVE-2021-35515 — Excessive Iteration | cvebase