CVE-2021-35516

CWE-130CWE-770Allocation without Limits8 documents7 sources
Severity
7.5HIGH
EPSS
1.4%
top 19.57%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
23
Apache Software Foundation Apache Commons CompressApache Commons CompressOracle Banking Digital Experience+20 more
Timeline
PublishedJul 13
Latest updateJul 16

Description

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages25 packages

CVEListV5apache_software_foundation/apache_commons_compress1.6Apache Commons Compress*
Debianlibcommons-compress-java< 1.21-1+2
NVDapache/commons_compress1.61.20

Patches

Patch: www.oracle.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

4
OSV
Improper Handling of Length Parameter Inconsistency in Compress2021-08-02
GHSA
Improper Handling of Length Parameter Inconsistency in Compress2021-08-02
CVEList
Apache Commons Compress 1.6 to 1.20 denial of service vulnerability2021-07-13
OSV
CVE-2021-35516: When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error eve2021-07-13

📋Vendor Advisories

3
Atlassian
CVE-2021-35516: DoS (Denial of Service) org.apache.commons:commons-compress Dependency in Confluence Data Center and Server2024-07-16
Red Hat
apache-commons-compress: excessive memory allocation when reading a specially crafted 7Z archive2021-07-13
Debian
CVE-2021-35516: libcommons-compress-java - When reading a specially crafted 7Z archive, Compress can be made to allocate la...2021