CVE-2021-35517

EPSS 0.28%
Published 13.07.2021 08:15:07
Last modified 21.11.2024 06:12:25
Source security@apache.org
Teams watchlist Login
Open Login

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

Affected products Warnungen 0 Metrics 3 CWE 2 References 25

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Commons Compress Version >= 1.1 <= 1.20

Netapp ≫ Active Iq Unified Manager Version- SwPlatformlinux

Netapp ≫ Active Iq Unified Manager Version- SwPlatformvmware_vsphere

Netapp ≫ Active Iq Unified Manager Version- SwPlatformwindows

Netapp ≫ Oncommand Insight Version-

Oracle ≫ Banking Apis Version >= 18.1 <= 18.3

Oracle ≫ Banking Apis Version19.1

Oracle ≫ Banking Apis Version19.2

Oracle ≫ Banking Apis Version20.1

Oracle ≫ Banking Apis Version21.1

Oracle ≫ Banking Digital Experience Version >= 18.1 <= 18.3

Oracle ≫ Banking Digital Experience Version19.1

Oracle ≫ Banking Digital Experience Version19.2

Oracle ≫ Banking Digital Experience Version20.1

Oracle ≫ Banking Digital Experience Version21.1

Oracle ≫ Banking Enterprise Default Management Version2.7.0

Oracle ≫ Banking Party Management Version2.7.0

Oracle ≫ Banking Payments Version14.5

Oracle ≫ Banking Trade Finance Version14.5

Oracle ≫ Banking Treasury Management Version14.5

Oracle ≫ Business Process Management Suite Version12.2.1.3.0

Oracle ≫ Business Process Management Suite Version12.2.1.4.0

Oracle ≫ Commerce Guided Search Version11.3.2

Oracle ≫ Communications Billing And Revenue Management Version12.0.0.4

Oracle ≫ Communications Cloud Native Core Service Communication Proxy Version1.14.0

Oracle ≫ Communications Cloud Native Core Unified Data Repository Version1.14.0

Oracle ≫ Communications Diameter Intelligence Hub Version >= 8.0.0 <= 8.2.3

Oracle ≫ Communications Session Route Manager Version >= 8.0.0 <= 8.2.5

Oracle ≫ Financial Services Crime And Compliance Management Studio Version8.0.8.2.0

Oracle ≫ Financial Services Crime And Compliance Management Studio Version8.0.8.3.0

Oracle ≫ Financial Services Enterprise Case Management Version8.0.7.2.0

Oracle ≫ Financial Services Enterprise Case Management Version8.0.8.1.0

Oracle ≫ Flexcube Universal Banking Version >= 14.0.0 <= 14.3.0

Oracle ≫ Flexcube Universal Banking Version12.4

Oracle ≫ Flexcube Universal Banking Version14.5

Oracle ≫ Healthcare Data Repository Version8.1.0

Oracle ≫ Insurance Policy Administration Version11.0.2

Oracle ≫ Insurance Policy Administration Version11.1.0

Oracle ≫ Insurance Policy Administration Version11.2.8

Oracle ≫ Insurance Policy Administration Version11.3.0

Oracle ≫ Insurance Policy Administration Version11.3.1

Oracle ≫ Peoplesoft Enterprise Peopletools Version8.57

Oracle ≫ Peoplesoft Enterprise Peopletools Version8.58

Oracle ≫ Peoplesoft Enterprise Peopletools Version8.59

Oracle ≫ Primavera Unifier Version >= 17.7 <= 17.12

Oracle ≫ Primavera Unifier Version18.8

Oracle ≫ Primavera Unifier Version19.12

Oracle ≫ Primavera Unifier Version20.12

Oracle ≫ Utilities Testing Accelerator Version6.0.0.1.1

Oracle ≫ Utilities Testing Accelerator Version6.0.0.2.2

Oracle ≫ Utilities Testing Accelerator Version6.0.0.3.1

Oracle ≫ Webcenter Portal Version12.2.1.3.0

Oracle ≫ Webcenter Portal Version12.2.1.4.0

Oracle ≫ Communications Messaging Server Version8.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.28%	0.511

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:N/A:P

CWE-130 Improper Handling of Length Parameter Inconsistency

The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

Patch

Third Party Advisory