7.1 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
3.6 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:N/A:P
0.001 Low
EPSS
Percentile
33.1%
An out-of-bounds array read in the apr_time_exp*() functions was fixed in
the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for
this issue was not carried forward to the APR 1.7.x branch, and hence
version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same
issue.
Author | Note |
---|---|
leosilva | the fix was removed in 1.7.x branches, but it is addressed in 1.6.x and later. xenial and trusty/esm are affected. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 21.04 | noarch | apr | < 1.7.0-6ubuntu0.1 | UNKNOWN |
ubuntu | 21.10 | noarch | apr | < 1.7.0-6ubuntu1 | UNKNOWN |
ubuntu | 22.04 | noarch | apr | < 1.7.0-6ubuntu1 | UNKNOWN |
ubuntu | 14.04 | noarch | apr | < 1.5.0-1ubuntu0.1~esm1) Available with Ubuntu Pro or Ubuntu Pro (Infra-only | UNKNOWN |
ubuntu | 16.04 | noarch | apr | < 1.5.2-3ubuntu0.1~esm1) Available with Ubuntu Pro or Ubuntu Pro (Infra-only | UNKNOWN |
mail-archives.apache.org/mod_mbox/www-announce/201710.mbox/%3CCACsi251B8UaLvM-rrH9fv57-zWi0zhyF3275_jPg1a9VEVVoxw@mail.gmail.com%3E
svn.apache.org/viewvc?view=revision&revision=1891198
www.openwall.com/lists/oss-security/2021/08/23/1
dist.apache.org/repos/dist/release/apr/patches/apr-1.7.0-CVE-2021-35940.patch
launchpad.net/bugs/cve/CVE-2021-35940
lists.apache.org/thread.html/ra2868b53339a6af65577146ad87016368c138388b09bff9d2860f50e%40%3Cdev.apr.apache.org%3E
lists.apache.org/thread.html/ra2868b53339a6af65577146ad87016368c138388b09bff9d2860f50e@%3Cdev.apr.apache.org%3E
lists.apache.org/thread.html/rb1f3c85f50fbd924a0051675118d1609e57957a02ece7facb723155b@%3Cannounce.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2021-35940
security-tracker.debian.org/tracker/CVE-2021-35940
ubuntu.com/security/notices/USN-5056-1
www.cve.org/CVERecord?id=CVE-2021-35940
www.openwall.com/lists/oss-security/2021/08/23/1
7.1 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
3.6 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:N/A:P
0.001 Low
EPSS
Percentile
33.1%