CVE-2021-35516

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Published: Jul 13, 2021
Updated: Nov 8, 2023
CVE: CVE-2021-35516
GHSA: GHSA-crv7-7245-f45f
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:N/A:P

CWEs:

Affected Software
References

Software	From	Fixed in
apache / commons_compress	1.6	1.20.x
oracle / flexcube_universal_banking	12.4.0	12.4.0.x
oracle / webcenter_portal	12.2.1.3.0	12.2.1.3.0.x
oracle / business_process_management_suite	12.2.1.3.0	12.2.1.3.0.x
oracle / peoplesoft_enterprise_peopletools	8.57	8.57.x
oracle / primavera_unifier	18.8	18.8.x
oracle / primavera_unifier	17.7	17.12.x
oracle / banking_digital_experience	19.1	19.1.x
oracle / flexcube_universal_banking	14.0.0	14.3.0.x
oracle / peoplesoft_enterprise_peopletools	8.58	8.58.x
oracle / primavera_unifier	19.12	19.12.x
oracle / webcenter_portal	12.2.1.4.0	12.2.1.4.0.x
oracle / banking_digital_experience	19.2	19.2.x
oracle / banking_digital_experience	20.1	20.1.x
oracle / primavera_unifier	20.12	20.12.x
oracle / business_process_management_suite	12.2.1.4.0	12.2.1.4.0.x
oracle / communications_messaging_server	8.1	8.1.x
oracle / commerce_guided_search	11.3.2	11.3.2.x
oracle / peoplesoft_enterprise_peopletools	8.59	8.59.x
oracle / insurance_policy_administration	11.3.0	11.3.0.x
oracle / insurance_policy_administration	11.0.2	11.0.2.x
oracle / financial_services_enterprise_case_management	8.0.8.1.0	8.0.8.1.0.x
oracle / financial_services_enterprise_case_management	8.0.7.2.0	8.0.7.2.0.x
oracle / healthcare_data_repository	8.1.0	8.1.0.x
oracle / communications_session_route_manager	8.0.0	8.2.5.x
oracle / banking_party_management	2.7.0	2.7.0.x
oracle / utilities_testing_accelerator	6.0.0.2.2	6.0.0.2.2.x
oracle / utilities_testing_accelerator	6.0.0.3.1	6.0.0.3.1.x
oracle / utilities_testing_accelerator	6.0.0.1.1	6.0.0.1.1.x
oracle / banking_digital_experience	21.1	21.1.x
oracle / communications_cloud_native_core_unified_data_repository	1.14.0	1.14.0.x
oracle / communications_cloud_native_core_service_communication_proxy	1.14.0	1.14.0.x
oracle / communications_cloud_native_core_automated_test_suite	1.8.0	1.8.0.x
oracle / communications_billing_and_revenue_management	12.0.0.4	12.0.0.4.x
oracle / insurance_policy_administration	11.1.0	11.1.0.x
oracle / insurance_policy_administration	11.3.1	11.3.1.x
oracle / banking_enterprise_default_management	2.7.0	2.7.0.x
oracle / banking_digital_experience	18.1	18.3.x
oracle / insurance_policy_administration	11.2.8	11.2.8.x
oracle / communications_diameter_intelligence_hub	8.0.0	8.2.3.x
oracle / flexcube_universal_banking	14.5	14.5.x
oracle / financial_services_crime_and_compliance_management_studio	8.0.8.2.0	8.0.8.2.0.x
oracle / financial_services_crime_and_compliance_management_studio	8.0.8.3.0	8.0.8.3.0.x
org.apache.commons / commons-compress	-	1.21

Vulnerability Database

289,599

CVE-2021-35516