CVE-2021-35517: When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for…

high7.5CVSS 3.1

AVNACLPRNUINSUCNINAH

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

Affected

53 ranges· showing 25

Vendor	Product	Version range	Fixed in
apache	commons_compress	1.1 – 1.20	—
apache_software_foundation	apache_commons_compress	>= 1.1 < Apache Commons Compress*	Apache Commons Compress*
atlassian	confluence_data_center	—	—
debian	libcommons-compress-java	< libcommons-compress-java 1.21-1 (bookworm)	libcommons-compress-java 1.21-1 (bookworm)
oracle	banking_apis	—	—
oracle	banking_apis	—	—
oracle	banking_apis	—	—
oracle	banking_apis	—	—
oracle	banking_apis	18.1 – 18.3	—
oracle	banking_digital_experience	—	—
oracle	banking_digital_experience	—	—
oracle	banking_digital_experience	—	—
oracle	banking_digital_experience	—	—
oracle	banking_digital_experience	18.1 – 18.3	—
oracle	banking_enterprise_default_management	—	—
oracle	banking_party_management	—	—
oracle	banking_payments	—	—
oracle	banking_trade_finance	—	—
oracle	banking_treasury_management	—	—
oracle	business_process_management_suite	—	—
oracle	business_process_management_suite	—	—
oracle	commerce_guided_search	—	—
oracle	communications_billing_and_revenue_management	—	—
oracle	communications_cloud_native_core_service_communication_proxy	—	—
oracle	communications_cloud_native_core_unified_data_repository	—	—

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

osv7.5HIGH