CVE-2021-35517

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

Published: Jul 13, 2021
Updated: Nov 8, 2023
CVE: CVE-2021-35517
GHSA: GHSA-xqfj-vm6h-2x34
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:N/A:P

CWEs:

Affected Software
References

Software	From	Fixed in
apache / commons_compress	1.1	1.20.x
oracle / webcenter_portal	12.2.1.3.0	12.2.1.3.0.x
oracle / business_process_management_suite	12.2.1.3.0	12.2.1.3.0.x
oracle / peoplesoft_enterprise_peopletools	8.57	8.57.x
oracle / primavera_unifier	18.8	18.8.x
oracle / primavera_unifier	17.7	17.12.x
oracle / banking_digital_experience	19.1	19.1.x
oracle / flexcube_universal_banking	14.0.0	14.3.0.x
oracle / peoplesoft_enterprise_peopletools	8.58	8.58.x
oracle / primavera_unifier	19.12	19.12.x
oracle / webcenter_portal	12.2.1.4.0	12.2.1.4.0.x
oracle / banking_digital_experience	19.2	19.2.x
oracle / banking_digital_experience	20.1	20.1.x
oracle / primavera_unifier	20.12	20.12.x
oracle / business_process_management_suite	12.2.1.4.0	12.2.1.4.0.x
oracle / communications_messaging_server	8.1	8.1.x
oracle / commerce_guided_search	11.3.2	11.3.2.x
oracle / peoplesoft_enterprise_peopletools	8.59	8.59.x
oracle / insurance_policy_administration	11.3.0	11.3.0.x
oracle / insurance_policy_administration	11.0.2	11.0.2.x
oracle / financial_services_enterprise_case_management	8.0.8.1.0	8.0.8.1.0.x
oracle / financial_services_enterprise_case_management	8.0.7.2.0	8.0.7.2.0.x
oracle / healthcare_data_repository	8.1.0	8.1.0.x
oracle / communications_session_route_manager	8.0.0	8.2.5.x
oracle / banking_party_management	2.7.0	2.7.0.x
oracle / utilities_testing_accelerator	6.0.0.2.2	6.0.0.2.2.x
oracle / utilities_testing_accelerator	6.0.0.3.1	6.0.0.3.1.x
oracle / utilities_testing_accelerator	6.0.0.1.1	6.0.0.1.1.x
oracle / banking_digital_experience	21.1	21.1.x
oracle / banking_apis	18.1	18.3.x
oracle / banking_apis	19.1	19.1.x
oracle / banking_apis	19.2	19.2.x
oracle / banking_apis	20.1	20.1.x
oracle / banking_apis	21.1	21.1.x
oracle / communications_cloud_native_core_unified_data_repository	1.14.0	1.14.0.x
oracle / communications_cloud_native_core_service_communication_proxy	1.14.0	1.14.0.x
oracle / communications_billing_and_revenue_management	12.0.0.4	12.0.0.4.x
oracle / insurance_policy_administration	11.1.0	11.1.0.x
oracle / insurance_policy_administration	11.3.1	11.3.1.x
oracle / banking_enterprise_default_management	2.7.0	2.7.0.x
oracle / banking_digital_experience	18.1	18.3.x
oracle / insurance_policy_administration	11.2.8	11.2.8.x
oracle / banking_payments	14.5	14.5.x
oracle / banking_trade_finance	14.5	14.5.x
oracle / banking_treasury_management	14.5	14.5.x
oracle / communications_diameter_intelligence_hub	8.0.0	8.2.3.x
oracle / flexcube_universal_banking	14.5	14.5.x
oracle / flexcube_universal_banking	12.4	12.4.x
oracle / financial_services_crime_and_compliance_management_studio	8.0.8.2.0	8.0.8.2.0.x
oracle / financial_services_crime_and_compliance_management_studio	8.0.8.3.0	8.0.8.3.0.x
org.apache.commons / commons-compress	-	1.21

Vulnerability Database

289,599

CVE-2021-35517