CVE-2021-36373: When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error…

medium5.5CVSS 3.1

AVLACLPRNUIRSUCNINAH

When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.

Affected

83 ranges· showing 25

Vendor	Product	Version range	Fixed in
apache	ant	>= 0 < 1.10.11-1	1.10.11-1
apache	ant	>= 0 < 1.10.11-1	1.10.11-1
apache	ant	>= 0 < 1.10.11-1	1.10.11-1
apache	ant	>= 1.10.0 < 1.10.11	1.10.11
apache	ant	>= 1.9.0 < 1.9.16	1.9.16
apache_software_foundation	apache_ant	Apache Ant 1.10.x – 1.10.10	—
apache_software_foundation	apache_ant	Apache Ant 1.9.x – 1.9.15	—
debian	ant	< ant 1.10.11-1 (bookworm)	ant 1.10.11-1 (bookworm)
msrc	azl3_javapackages-bootstrap_1.14.0-2_on_azure_linux_3.0	—	—
msrc	azl3_javapackages-bootstrap_1.5.0-4_on_azure_linux_3.0	—	—
msrc	cbl2_javapackages-bootstrap_1.5.0-6_on_cbl_mariner_2.0	—	—
msrc	cm1_ant_1.10.11-1_on_cbl_mariner_1.0	—	—
oracle	agile_plm	—	—
oracle	banking_trade_finance	—	—
oracle	banking_treasury_management	—	—
oracle	communications_cloud_native_core_automated_test_suite	—	—
oracle	communications_cloud_native_core_binding_support_function	—	—
oracle	communications_order_and_service_management	—	—
oracle	communications_order_and_service_management	—	—
oracle	communications_unified_inventory_management	—	—
oracle	communications_unified_inventory_management	—	—
oracle	communications_unified_inventory_management	—	—
oracle	communications_unified_inventory_management	—	—
oracle	communications_unified_inventory_management	—	—
oracle	enterprise_repository	—	—

CVSS provenance

nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

osv5.5MEDIUM