CVE-2021-36373

CWE-130 CWE-770 — Allocation without Limits9 documents8 sources

Severity

5.5MEDIUM

EPSS

0.1%

top 71.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache ANT Oracle Timesten In-memory Database Apache Software Foundation Apache ANT +30 more

Timeline

PublishedJul 14

Latest updateApr 15

Description

When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages35 packages

▶NVDapache/ant1.9.0 — 1.9.16+1

▶Mavenorg.apache.ant:ant1.10.0 — 1.10.11+1

▶CVEListV5apache_software_foundation/apache_antApache Ant 1.9.x — 1.9.15+1

▶NVDoracle/timesten_in-memory_database< 11.2.2.8.27

▶Debianant< 1.10.11-1+2

Patches

Patch: ant.apache.org ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

Improper Handling of Length Parameter Inconsistency in Apache Ant↗2021-08-02

▶

GHSA

Improper Handling of Length Parameter Inconsistency in Apache Ant↗2021-08-02

▶

CVEList

Apache Ant TAR archive denial of service vulnerability↗2021-07-14

▶

OSV

CVE-2021-36373: When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memor↗2021-07-14

▶

📋Vendor Advisories

Oracle

Oracle Oracle JD Edwards Risk Matrix: Deployment SEC (Apache Ant) — CVE-2021-36373↗2023-04-15

▶

Red Hat

ant: excessive memory allocation when reading a specially crafted TAR archive↗2021-07-13

▶

Microsoft

Apache Ant TAR archive denial of service vulnerability↗2021-07-13

▶

Debian

CVE-2021-36373: ant - When reading a specially crafted TAR archive an Apache Ant build can be made to ...↗2021

▶