What is CVE-2021-35517?

CVE-2021-35517 is a high-severity vulnerability in Apache Commons_compress, classified under Improper Handling of Length Parameter Inconsistency. CVSS score: 7.5/10. Published 2021-07-13.

How severe is CVE-2021-35517?

High severity. CVSS v3 base score is 7.5 out of 10.

Is CVE-2021-35517 known to be exploited?

5 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Resource exhaustion in Apache Commons_compress

CVE-2021-35517

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against…

EPSS: 0.109 (95.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

Affected products

Apache Commons_compress
Apache Software Foundation Commons Compress — versions 1.1
Netapp Active_iq_unified_manager
Netapp Oncommand_insight
Oracle Banking_apis — versions 19.1, 19.2, 20.1
Oracle Banking_digital_experience — versions 19.1, 19.2, 20.1
Oracle Banking_enterprise_default_management — versions 2.7.0
Oracle Banking_party_management — versions 2.7.0
Oracle Banking_payments — versions 14.5
Oracle Banking_trade_finance — versions 14.5

Weakness classification (CWE)

Public proof-of-concept exploits

References

security@apache.org (x_refsource_MISC, Vendor Advisory)
security@apache.org (Mailing List, x_refsource_MISC, Vendor Advisory)
security@apache.org (mailing-list, x_refsource_MLIST, Mailing List, Third Party Advisory)
security@apache.org (mailing-list, x_refsource_MLIST)
security@apache.org (mailing-list, x_refsource_MLIST)
security@apache.org (mailing-list, x_refsource_MLIST)
security@apache.org (mailing-list, x_refsource_MLIST, Mailing List, Third Party Advisory)
security@apache.org (mailing-list, x_refsource_MLIST)
security@apache.org (mailing-list, x_refsource_MLIST)
security@apache.org (mailing-list, x_refsource_MLIST)

Frequently asked questions

What is CVE-2021-35517?: CVE-2021-35517 is a high-severity vulnerability in Apache Commons_compress, classified under Improper Handling of Length Parameter Inconsistency. CVSS score: 7.5/10. Published 2021-07-13.
How severe is CVE-2021-35517?: High severity. CVSS v3 base score is 7.5 out of 10.
Is CVE-2021-35517 known to be exploited?: 5 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.