CVE-2021-36090 — Improper Handling of Length Parameter Inconsistency in Apache Commons Compress
Severity
7.5HIGHNVD
EPSS
0.6%
top 30.73%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJul 13
Latest updateJul 16
Description
When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6
Affected Packages33 packages
Patches
🔴Vulnerability Details
4OSV▶
CVE-2021-36090: When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error ev↗2021-07-13
📋Vendor Advisories
13Atlassian▶
CVE-2021-36090: 8.9.0 to 8.9.3 8.8.0 to 8.8.1 8.7.1 to 8.7.2 8.6.0 to 8.6.2 8.5.0 to 8.5.11 (LTS) 8.4.0 to 8.4.5 8.3.0 to 8.3.4 8.2.0 to↗2024-07-16
Oracle▶
Oracle Oracle Siebel CRM Risk Matrix: Installation (Apache Commons Compress) — CVE-2021-36090↗2024-07-15
Oracle▶
Oracle Oracle Fusion Middleware Risk Matrix: Oracle JDeveloper (Apache Commons Compress) — CVE-2021-36090↗2024-01-15
Oracle▶
Oracle Oracle Fusion Middleware Risk Matrix: General (Apache Commons Compress) — CVE-2021-36090↗2023-07-15
Oracle▶
Oracle Oracle Blockchain Platform Risk Matrix: BCS Console (Apache Commons Compress) — CVE-2021-36090↗2023-04-15