Lucene search

[email protected]CVE-2021-35517

HistoryJul 13, 2021 - 8:15 a.m.

CVE-2021-35517

2021-07-1308:15:00

CWE-770

[email protected]

web.nvd.nist.gov

218

cve

2021

35517

vulnerability

denial of service

compress

tar

package

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.2 High

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.014 Low

EPSS

Percentile

86.0%

JSON

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress’ tar package.

CPENameOperatorVersion
apache:commons_compressapache commons compressle1.20
netapp:oncommand_insightnetapp oncommand insighteq-
netapp:active_iq_unified_managernetapp active iq unified managereq-
oracle:webcenter_portaloracle webcenter portaleq12.2.1.3.0
oracle:business_process_management_suiteoracle business process management suiteeq12.2.1.3.0
oracle:peoplesoft_enterprise_peopletoolsoracle peoplesoft enterprise peopletoolseq8.57
oracle:primavera_unifieroracle primavera unifiereq18.8
oracle:primavera_unifieroracle primavera unifierle17.12
oracle:banking_digital_experienceoracle banking digital experienceeq19.1
oracle:flexcube_universal_bankingoracle flexcube universal bankingle14.3.0

CPE	Name	Operator	Version
apache:commons_compress	apache commons compress	le	1.20
netapp:oncommand_insight	netapp oncommand insight	eq	-
netapp:active_iq_unified_manager	netapp active iq unified manager	eq	-
oracle:webcenter_portal	oracle webcenter portal	eq	12.2.1.3.0
oracle:business_process_management_suite	oracle business process management suite	eq	12.2.1.3.0
oracle:peoplesoft_enterprise_peopletools	oracle peoplesoft enterprise peopletools	eq	8.57
oracle:primavera_unifier	oracle primavera unifier	eq	18.8
oracle:primavera_unifier	oracle primavera unifier	le	17.12
oracle:banking_digital_experience	oracle banking digital experience	eq	19.1
oracle:flexcube_universal_banking	oracle flexcube universal banking	le	14.3.0

Rows per page:

1-10 of 521

References

www.openwall.com/lists/oss-security/2021/07/13/3

www.openwall.com/lists/oss-security/2021/07/13/5

commons.apache.org/proper/commons-compress/security-reports.html

lists.apache.org/thread.html/r31f75743ac173b0a606f8ea6ea53f351f386c44e7bcf78ae04007c29%40%3Cissues.flink.apache.org%3E

lists.apache.org/thread.html/r457b2ed564860996b20d938566fe8bd4bfb7c37be8e205448ccb5975%40%3Cannounce.apache.org%3E

lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46%40%3Cuser.ant.apache.org%3E

lists.apache.org/thread.html/r605d906b710b95f1bbe0036a53ac6968f667f2c249b6fbabada9a940%40%3Cuser.commons.apache.org%3E

lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b%40%3Cdev.poi.apache.org%3E

lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040%40%3Cnotifications.skywalking.apache.org%3E

lists.apache.org/thread.html/ra393ffdc7c90a4a37ea023946f390285693795013a642d80fba20203%40%3Cannounce.apache.org%3E

lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae%40%3Cnotifications.skywalking.apache.org%3E

lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71%40%3Ccommits.pulsar.apache.org%3E

lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c%40%3Cnotifications.skywalking.apache.org%3E

lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee%40%3Cnotifications.skywalking.apache.org%3E

lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a%40%3Cnotifications.skywalking.apache.org%3E

lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e%40%3Cnotifications.skywalking.apache.org%3E

lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742%40%3Cnotifications.skywalking.apache.org%3E

security.netapp.com/advisory/ntap-20211022-0001/

www.oracle.com/security-alerts/cpuapr2022.html

www.oracle.com/security-alerts/cpujan2022.html

www.oracle.com/security-alerts/cpujul2022.html

www.oracle.com/security-alerts/cpuoct2021.html

Social References

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.2 High

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.014 Low

EPSS

Percentile

86.0%

JSON

Related for CVE-2021-35517

ibm61 veracode1 osv2 github1 debiancve1 ubuntucve1 prion1 redhatcve1 nessus6 openvas4 suse2 mageia1 redhat2 oracle9