What is CVE-2021-35516?

CVE-2021-35516 is a high-severity vulnerability in Apache Commons_compress, classified under Improper Handling of Length Parameter Inconsistency. CVSS score: 7.5/10. Published 2021-07-13.

How severe is CVE-2021-35516?

High severity. CVSS v3 base score is 7.5 out of 10.

Is CVE-2021-35516 known to be exploited?

6 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Resource exhaustion in Apache Commons_compress

CVE-2021-35516

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against s…

EPSS: 0.127 (95.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

Affected products

Apache Commons_compress
Apache Software Foundation Commons Compress — versions 1.6
Netapp Active_iq_unified_manager
Netapp Oncommand_insight
Oracle Banking_digital_experience — versions 19.1, 19.2, 20.1
Oracle Banking_enterprise_default_management — versions 2.7.0
Oracle Banking_party_management — versions 2.7.0
Oracle Business_process_management_suite — versions 12.2.1.3.0, 12.2.1.4.0
Oracle Commerce_guided_search — versions 11.3.2
Oracle Communications_billing_and_revenue_management — versions 12.0.0.4

Weakness classification (CWE)

Public proof-of-concept exploits

References

security@apache.org (x_refsource_MISC, Vendor Advisory)
security@apache.org (Mailing List, x_refsource_MISC, Vendor Advisory)
security@apache.org (mailing-list, x_refsource_MLIST, Mailing List, Third Party Advisory)
security@apache.org (mailing-list, x_refsource_MLIST)
security@apache.org (mailing-list, x_refsource_MLIST)
security@apache.org (mailing-list, x_refsource_MLIST)
security@apache.org (mailing-list, x_refsource_MLIST)
security@apache.org (mailing-list, x_refsource_MLIST)
security@apache.org (mailing-list, x_refsource_MLIST)
security@apache.org (mailing-list, x_refsource_MLIST)

Frequently asked questions

What is CVE-2021-35516?: CVE-2021-35516 is a high-severity vulnerability in Apache Commons_compress, classified under Improper Handling of Length Parameter Inconsistency. CVSS score: 7.5/10. Published 2021-07-13.
How severe is CVE-2021-35516?: High severity. CVSS v3 base score is 7.5 out of 10.
Is CVE-2021-35516 known to be exploited?: 6 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.