CVE-2021-35517

CWE-130 CWE-770 — Allocation without Limits8 documents7 sources

Severity

7.5HIGH

EPSS

1.1%

top 22.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Commons Compress Apache Commons Compress Oracle Banking Apis +23 more

Timeline

PublishedJul 13

Latest updateJul 16

Description

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages28 packages

▶Mavenorg.apache.commons:commons-compress< 1.21

▶CVEListV5apache_software_foundation/apache_commons_compress1.1 — Apache Commons Compress*

▶Debianlibcommons-compress-java< 1.21-1+2

▶NVDapache/commons_compress1.1 — 1.20

▶NVDoracle/financial_services_enterprise_case_management8.0.7.2.0, 8.0.8.1.0+1

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

Improper Handling of Length Parameter Inconsistency in Compress↗2021-08-02

▶

OSV

Improper Handling of Length Parameter Inconsistency in Compress↗2021-08-02

▶

OSV

CVE-2021-35517: When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error ev↗2021-07-13

▶

CVEList

Apache Commons Compress 1.1 to 1.20 denial of service vulnerability↗2021-07-13

▶

📋Vendor Advisories

Atlassian

CVE-2021-35517: DoS (Denial of Service) org.apache.commons:commons-compress Dependency in Confluence Data Center and Server↗2024-07-16

▶

Red Hat

apache-commons-compress: excessive memory allocation when reading a specially crafted TAR archive↗2021-07-13

▶

Debian

CVE-2021-35517: libcommons-compress-java - When reading a specially crafted TAR archive, Compress can be made to allocate l...↗2021

▶