CVE-2021-37137

EPSS 0.6%
Published 19.10.2021 15:15:07
Last modified 21.11.2024 06:14:43
Source reefs@jfrog.com
Teams watchlist Login
Open Login

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.

Affected products Warnungen 0 Metrics 3 CWE 1 References 16

Data is provided by the National Vulnerability Database (NVD)

Netty ≫ Netty Version < 4.1.68

Oracle ≫ Banking Apis Version >= 18.1 <= 18.3

Oracle ≫ Banking Apis Version19.1

Oracle ≫ Banking Apis Version19.2

Oracle ≫ Banking Apis Version20.1

Oracle ≫ Banking Apis Version21.1

Oracle ≫ Banking Digital Experience Version18.1

Oracle ≫ Banking Digital Experience Version18.2

Oracle ≫ Banking Digital Experience Version18.3

Oracle ≫ Banking Digital Experience Version19.1

Oracle ≫ Banking Digital Experience Version19.2

Oracle ≫ Banking Digital Experience Version20.1

Oracle ≫ Banking Digital Experience Version21.1

Oracle ≫ Commerce Guided Search Version11.3.2

Oracle ≫ Communications Brm - Elastic Charging Engine Version < 12.0.0.4.6

Oracle ≫ Communications Brm - Elastic Charging Engine Version12.0.0.5.0

Oracle ≫ Communications Cloud Native Core Binding Support Function Version1.10.0

Oracle ≫ Communications Diameter Signaling Router Version >= 8.0.0.0 <= 8.5.0.2

Oracle ≫ Peoplesoft Enterprise Peopletools Version8.57

Oracle ≫ Peoplesoft Enterprise Peopletools Version8.58

Oracle ≫ Peoplesoft Enterprise Peopletools Version8.59

Oracle ≫ Webcenter Portal Version12.2.1.3.0

Oracle ≫ Webcenter Portal Version12.2.1.4.0

Quarkus ≫ Quarkus Version < 2.2.4

Netapp ≫ Oncommand Insight Version-

Debian ≫ Debian Linux Version10.0

Debian ≫ Debian Linux Version11.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.6%	0.684

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:N/A:P

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

Patch

Third Party Advisory

https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E

https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d%40%3Ccommits.druid.apache.org%3E

https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb%40%3Ccommits.druid.apache.org%3E