Vulnerability in Apache Commons_compress
CVE-2021-36090
When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against…
EPSS: 0.133 (95.9th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
Affected products
- Apache Commons_compress
- Apache Software Foundation Commons Compress — versions Apache Commons Compress
- Netapp Active_iq_unified_manager
- Netapp Oncommand_insight
- Oracle Banking_apis — versions 19.1, 19.2, 20.1
- Oracle Banking_digital_experience — versions 19.1, 19.2, 20.1
- Oracle Banking_enterprise_default_management — versions 2.7.0
- Oracle Banking_party_management — versions 2.7.0
- Oracle Banking_payments — versions 14.5
- Oracle Banking_platform — versions 2.6.2, 2.7.1, 2.9.0
Weakness classification (CWE)
Public proof-of-concept exploits
References
- security@apache.org (x_refsource_MISC, Vendor Advisory)
- security@apache.org (x_refsource_MISC, Vendor Advisory)
- security@apache.org (mailing-list, x_refsource_MLIST, Mailing List, Third Party Advisory)
- security@apache.org (mailing-list, x_refsource_MLIST)
- security@apache.org (mailing-list, x_refsource_MLIST)
- security@apache.org (mailing-list, x_refsource_MLIST)
- security@apache.org (mailing-list, x_refsource_MLIST, Mailing List, Third Party Advisory)
- security@apache.org (mailing-list, x_refsource_MLIST)
- security@apache.org (mailing-list, x_refsource_MLIST)
- security@apache.org (mailing-list, x_refsource_MLIST)
Frequently asked questions
- What is CVE-2021-36090?
- CVE-2021-36090 is a high-severity vulnerability in Apache Commons_compress, classified under Improper Handling of Length Parameter Inconsistency. CVSS score: 7.5/10. Published 2021-07-13.
- How severe is CVE-2021-36090?
- High severity. CVSS v3 base score is 7.5 out of 10.
- Is CVE-2021-36090 known to be exploited?
- 5 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.