Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5
CVSSv2

CVE-2021-36090

Published: 13/07/2021 Updated: 07/11/2023
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 445
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Subscribe to Commons Compress

Vulnerability Summary

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache commons compress

oracle webcenter portal 12.2.1.3.0

oracle business process management suite 12.2.1.3.0

oracle peoplesoft enterprise peopletools 8.57

oracle banking platform 2.6.2

oracle primavera unifier 18.8

oracle primavera unifier

oracle communications unified inventory management 7.4.0

oracle banking digital experience 19.1

oracle flexcube universal banking

oracle peoplesoft enterprise peopletools 8.58

oracle primavera unifier 19.12

oracle webcenter portal 12.2.1.4.0

oracle banking digital experience 19.2

oracle banking digital experience 20.1

oracle banking platform 2.7.1

oracle banking platform 2.9.0

oracle primavera unifier 20.12

oracle business process management suite 12.2.1.4.0

oracle communications messaging server 8.1

oracle commerce guided search 11.3.2

oracle peoplesoft enterprise peopletools 8.59

oracle communications unified inventory management 7.4.1

oracle insurance policy administration 11.3.0

oracle insurance policy administration 11.0.2

oracle primavera gateway

oracle financial services enterprise case management 8.0.8.1.0

oracle financial services enterprise case management

oracle financial services enterprise case management 8.0.7.2.0

oracle banking platform 2.12.0

oracle communications element manager

oracle financial services analytical applications infrastructure

oracle communications session route manager

oracle communications session report manager

oracle healthcare data repository 8.1.0

oracle banking party management 2.7.0

oracle utilities testing accelerator 6.0.0.2.2

oracle utilities testing accelerator 6.0.0.3.1

oracle utilities testing accelerator 6.0.0.1.1

oracle banking digital experience 21.1

oracle banking apis

oracle banking apis 19.1

oracle banking apis 19.2

oracle banking apis 20.1

oracle banking apis 21.1

oracle communications unified inventory management 7.4.2

oracle communications cloud native core unified data repository 1.14.0

oracle communications cloud native core service communication proxy 1.14.0

oracle communications cloud native core automated test suite 1.8.0

oracle communications billing and revenue management 12.0.0.4

oracle communications unified inventory management 7.5.0

oracle insurance policy administration 11.1.0

oracle insurance policy administration 11.3.1

oracle banking enterprise default management 2.7.0

oracle banking digital experience

oracle insurance policy administration 11.2.8

oracle banking payments 14.5

oracle banking trade finance 14.5

oracle banking treasury management 14.5

oracle communications diameter intelligence hub

oracle flexcube universal banking 14.5

oracle flexcube universal banking 12.4

oracle communications diameter intelligence hub 8.2.3

oracle financial services crime and compliance management studio 8.0.8.2.0

oracle financial services crime and compliance management studio 8.0.8.3.0

netapp oncommand insight -

netapp active iq unified manager -

Vendor Advisories

Debian CVElist Bug Report Logs: libcommons-compress-java: CVE-2021-36090 CVE-2021-35517 CVE-2021-35516 CVE-2021-35515
Debian Bug report logs - #991041 libcommons-compress-java: CVE-2021-36090 CVE-2021-35517 CVE-2021-35516 CVE-2021-35515 Package: src:libcommons-compress-java; Maintainer for src:libcommons-compress-java is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Moritz Mühlenhoff <jmm@inutilorg ...
Red Hat: Moderate: RHV Manager (ovirt-engine) [ovirt-4.5.1] security, bug fix and update
Synopsis Moderate: RHV Manager (ovirt-engine) [ovirt-451] security, bug fix and update Type/Severity Security Advisory: Moderate Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic Updated ovirt-engine packages that fix several bugs and add various enhancements are ...
Red Hat: Important: Red Hat Fuse 7.11.0 release and security update
Synopsis Important: Red Hat Fuse 7110 release and security update Type/Severity Security Advisory: Important Topic A minor version update (from 710 to 711) is now available for Red Hat Fuse The purpose of this text-only errata is to inform you about the security issues fixed in this releaseRed Hat Product Security has rated this update ...
Red Hat: CVE-2021-36090
A flaw was found in apache-commons-compress When reading a specially crafted ZIP archive, Compress can allocate large amounts of memory that leads to an out-of-memory error for small inputs This flaw allows the mounting of a denial of service attack against services that use Compress' zip package The highest threat from this vulnerability is to ...
Hitachi Security Advisories: Multiple Vulnerabilities in Hitachi Automation Director and Hitachi Ops Center Automator
Hitachi Automation Director and Hitachi Ops Center Automator contain the following vulnerabilities: CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 Affected products and versions are listed below Please upgrade your version to the appropriate version To find fixed products, need to find same number following product name in [A ...

Mailing Lists

Full Disclosure: CVE-2021-36090: Apache Commons Compress 1.0 to 1.20 denial of service vulnerability
<!--X-Body-Begin--> <!--X-User-Header--> oss-sec mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> CVE-2021-36090: Apache Commons Compress 10 to 120 denial of service vulnerability <!--X-Subject-Header-End--> <!--X-Head-of- ...

References

NVD-CWE-Otherhttps://lists.apache.org/thread.html/rc4134026d7d7b053d4f9f2205531122732405012c8804fd850a9b26f%40%3Cuser.commons.apache.org%3Ehttps://commons.apache.org/proper/commons-compress/security-reports.htmlhttp://www.openwall.com/lists/oss-security/2021/07/13/4http://www.openwall.com/lists/oss-security/2021/07/13/6https://www.oracle.com/security-alerts/cpuoct2021.htmlhttps://security.netapp.com/advisory/ntap-20211022-0001/https://www.oracle.com/security-alerts/cpujan2022.htmlhttps://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://www.oracle.com/security-alerts/cpujul2022.htmlhttps://lists.apache.org/thread.html/r9a23d4dbf4e34d498664080bff59f2893b855eb16dae33e4aa92fa53%40%3Cannounce.apache.org%3Ehttps://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38%40%3Cuser.ant.apache.org%3Ehttps://lists.apache.org/thread.html/r0e87177f8e78b4ee453cd4d3d8f4ddec6f10d2c27707dd71e12cafc9%40%3Cannounce.apache.org%3Ehttps://lists.apache.org/thread.html/rb5fa2ee61828fa2e42361b58468717e84902dd71c4aea8dc0b865df7%40%3Cnotifications.james.apache.org%3Ehttps://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71%40%3Ccommits.pulsar.apache.org%3Ehttps://lists.apache.org/thread.html/rf2f4d7940371a7c7c5b679f50e28fc7fcc82cd00670ced87e013ac88%40%3Ccommits.druid.apache.org%3Ehttps://lists.apache.org/thread.html/rab292091eadd1ecc63c516e9541a7f241091cf2e652b8185a6059945%40%3Ccommits.druid.apache.org%3Ehttps://lists.apache.org/thread.html/rbe91c512c5385181149ab087b6c909825d34299f5c491c6482a2ed57%40%3Ccommits.druid.apache.org%3Ehttps://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e%40%3Cnotifications.skywalking.apache.org%3Ehttps://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee%40%3Cnotifications.skywalking.apache.org%3Ehttps://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742%40%3Cnotifications.skywalking.apache.org%3Ehttps://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a%40%3Cnotifications.skywalking.apache.org%3Ehttps://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040%40%3Cnotifications.skywalking.apache.org%3Ehttps://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae%40%3Cnotifications.skywalking.apache.org%3Ehttps://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c%40%3Cnotifications.skywalking.apache.org%3Ehttps://lists.apache.org/thread.html/rc7df4c2f0bbe2028a1498a46d322c91184f7a369e3e4c57d9518cacf%40%3Cdev.drill.apache.org%3Ehttps://lists.apache.org/thread.html/rf3f0a09fee197168a813966c5816157f6c600a47313a0d6813148ea6%40%3Cissues.drill.apache.org%3Ehttps://lists.apache.org/thread.html/rbbf42642c3e4167788a7c13763d192ee049604d099681f765385d99d%40%3Cdev.drill.apache.org%3Ehttps://lists.apache.org/thread.html/r54049b66afbca766b6763c7531e9fe7a20293a112bcb65462a134949%40%3Ccommits.drill.apache.org%3Ehttps://lists.apache.org/thread.html/r4f03c5de923e3f2a8c316248681258125140514ef3307bfe1538e1ab%40%3Cdev.drill.apache.org%3Ehttps://lists.apache.org/thread.html/rf93b6bb267580e01deb7f3696f7eaca00a290c66189a658cf7230a1a%40%3Cissues.drill.apache.org%3Ehttps://lists.apache.org/thread.html/r25f4c44616045085bc3cf901bb7e68e445eee53d1966fc08998fc456%40%3Cdev.drill.apache.org%3Ehttps://lists.apache.org/thread.html/r3227b1287e5bd8db6523b862c22676b046ad8f4fc96433225f46a2bd%40%3Cissues.drill.apache.org%3Ehttps://lists.apache.org/thread.html/r75ffc7a461e7e7ae77690fa75bd47bb71365c732e0fbcc44da4f8ff5%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b%40%3Cdev.poi.apache.org%3Ehttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991041https://nvd.nist.govhttps://access.redhat.com/security/cve/cve-2021-36090
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-38298CVE-2024-20356CVE-2023-21987CVE-2024-33217bypassCVE-2024-31804CVE-2024-32660unauthorizedSSRF
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook