CVE-2021-35940Out-of-bounds Read in Software Foundation Apache Portable Runtime

CWE-125Out-of-bounds Read8 documents8 sources
Severity
7.1HIGHNVD
EPSS
0.1%
top 82.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Apache Software Foundation Apache Portable RuntimeApache Portable RuntimeOracle Http Server
Timeline
PublishedAug 23
Latest updateJul 15

Description

An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:HExploitability: 1.8 | Impact: 5.2

Affected Packages3 packages

CVEListV5apache_software_foundation/apache_portable_runtimeApache Portable Runtime 1.7.0
NVDoracle/http_server12.2.1.3.0, 12.2.1.4.0+1

Patches

Patch: dist.apache.orgPatch: www.oracle.comPatch: dist.apache.org

🔴Vulnerability Details

3
GHSA
GHSA-95qq-4mqm-pp5g: An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 12022-05-24
OSV
CVE-2021-35940: An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 12021-08-23
CVEList
Regression of CVE-2017-126132021-08-23

📋Vendor Advisories

4
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: SSL Module (Apache Portable Runtime) — CVE-2021-359402022-07-15
Ubuntu
APR vulnerability2021-08-30
Red Hat
apr: Regression of CVE-2017-12613 fix in apr 1.72021-08-23
Debian
CVE-2021-35940: apr - An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Ap...2021
CVE-2021-35940 — Out-of-bounds Read | cvebase