Lucene search

K
cveApacheCVE-2021-35515
HistoryJul 13, 2021 - 8:15 a.m.

CVE-2021-35515

2021-07-1308:15:07
CWE-834
CWE-835
apache
web.nvd.nist.gov
242
11
cve-2021-35515
7z archive
denial of service
compress
sevenz package

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.1

Confidence

High

EPSS

0.021

Percentile

89.3%

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress’ sevenz package.

Affected configurations

Nvd
Vulners
Node
apachecommons_compressRange1.61.20
Node
netappactive_iq_unified_managerMatch-linux
OR
netappactive_iq_unified_managerMatch-vmware_vsphere
OR
netappactive_iq_unified_managerMatch-windows
OR
netapponcommand_insightMatch-
Node
oraclebanking_digital_experienceRange18.118.3
OR
oraclebanking_digital_experienceMatch19.1
OR
oraclebanking_digital_experienceMatch20.1
OR
oraclebanking_digital_experienceMatch21.1
OR
oraclebanking_enterprise_default_managementMatch2.7.0
OR
oraclebanking_party_managementMatch2.7.0
OR
oraclebanking_paymentsMatch14.5
OR
oraclebanking_trade_financeMatch14.5
OR
oraclebanking_treasury_managementMatch14.5
OR
oraclebusiness_process_management_suiteMatch12.2.1.3.0
OR
oraclebusiness_process_management_suiteMatch12.2.1.4.0
OR
oraclecommerce_guided_searchMatch11.3.2
OR
oraclecommunications_billing_and_revenue_managementMatch12.0.0.4
OR
oraclecommunications_cloud_native_core_automated_test_suiteMatch1.8.0
OR
oraclecommunications_cloud_native_core_service_communication_proxyMatch1.14.0
OR
oraclecommunications_cloud_native_core_unified_data_repositoryMatch1.14.0
OR
oraclecommunications_diameter_intelligence_hubRange8.0.08.2.3
OR
oraclecommunications_session_route_managerRange8.0.08.2.5
OR
oraclefinancial_services_crime_and_compliance_management_studioMatch8.0.8.2.0
OR
oraclefinancial_services_crime_and_compliance_management_studioMatch8.0.8.3.0
OR
oraclefinancial_services_enterprise_case_managementMatch8.0.7.2.0
OR
oraclefinancial_services_enterprise_case_managementMatch8.0.8.1.0
OR
oracleflexcube_universal_bankingRange14.0.014.3.0
OR
oracleflexcube_universal_bankingMatch12.4.0
OR
oracleflexcube_universal_bankingMatch14.5.0
OR
oraclehealthcare_data_repositoryMatch8.1.0
OR
oracleinsurance_policy_administrationMatch11.0.2
OR
oracleinsurance_policy_administrationMatch11.1.0
OR
oracleinsurance_policy_administrationMatch11.2.8
OR
oracleinsurance_policy_administrationMatch11.3.0
OR
oracleinsurance_policy_administrationMatch11.3.1
OR
oraclepeoplesoft_enterprise_peopletoolsMatch8.57
OR
oraclepeoplesoft_enterprise_peopletoolsMatch8.58
OR
oraclepeoplesoft_enterprise_peopletoolsMatch8.59
OR
oracleprimavera_unifierRange17.717.12
OR
oracleprimavera_unifierMatch18.8
OR
oracleprimavera_unifierMatch19.12
OR
oracleprimavera_unifierMatch20.12
OR
oracleutilities_testing_acceleratorMatch6.0.0.1.1
OR
oracleutilities_testing_acceleratorMatch6.0.0.2.2
OR
oracleutilities_testing_acceleratorMatch6.0.0.3.1
OR
oraclecommunications_messaging_serverMatch8.1
VendorProductVersionCPE
apachecommons_compress*cpe:2.3:a:apache:commons_compress:*:*:*:*:*:*:*:*
netappactive_iq_unified_manager-cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*
netappactive_iq_unified_manager-cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
netappactive_iq_unified_manager-cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
netapponcommand_insight-cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
oraclebanking_digital_experience*cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:*
oraclebanking_digital_experience19.1cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*
oraclebanking_digital_experience20.1cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*
oraclebanking_digital_experience21.1cpe:2.3:a:oracle:banking_digital_experience:21.1:*:*:*:*:*:*:*
oraclebanking_enterprise_default_management2.7.0cpe:2.3:a:oracle:banking_enterprise_default_management:2.7.0:*:*:*:*:*:*:*
Rows per page:
1-10 of 471

CNA Affected

[
  {
    "product": "Apache Commons Compress",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "Apache Commons Compress*",
        "status": "affected",
        "version": "1.6",
        "versionType": "custom"
      }
    ]
  }
]

References

Social References

More

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.1

Confidence

High

EPSS

0.021

Percentile

89.3%