| Vulnerability Name: | CVE-2021-35515 (CCN-205304) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Assigned: | 2021-07-13 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Published: | 2021-07-13 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Updated: | 2023-02-28 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Summary: | Apache Commons Compress is vulnerable to a denial of service, caused by an infinite loop flaw in the construction of the list of codecs that decompress an entry. By persuading a victim to open a specially-crafted 7Z archive, a remote attacker could exploit this vulnerability to cause a denial of service condition against services that use Compress' sevenz package. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| CVSS v3 Severity: | 7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) 6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
4.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| CVSS v2 Severity: | 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Vulnerability Consequences: | Denial of Service | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| References: | Source: MITRE Type: CNA CVE-2021-35515 Source: security@apache.org Type: Mailing List, Third Party Advisory security@apache.org Source: CCN Type: Apache Web site Apache Commons Compress Source: security@apache.org Type: Vendor Advisory security@apache.org Source: XF Type: UNKNOWN apache-cve202135515-dos(205304) Source: security@apache.org Type: Vendor Advisory security@apache.org Source: security@apache.org Type: Mailing List, Vendor Advisory security@apache.org Source: security@apache.org Type: Exploit, Mailing List, Vendor Advisory security@apache.org Source: security@apache.org Type: Mailing List, Vendor Advisory security@apache.org Source: security@apache.org Type: Exploit, Mailing List, Vendor Advisory security@apache.org Source: security@apache.org Type: Mailing List, Patch, Vendor Advisory security@apache.org Source: security@apache.org Type: Exploit, Mailing List, Vendor Advisory security@apache.org Source: security@apache.org Type: Mailing List, Patch, Vendor Advisory security@apache.org Source: security@apache.org Type: Mailing List, Vendor Advisory security@apache.org Source: security@apache.org Type: Vendor Advisory security@apache.org Source: security@apache.org Type: Mailing List, Patch, Vendor Advisory security@apache.org Source: security@apache.org Type: Mailing List, Patch, Vendor Advisory security@apache.org Source: security@apache.org Type: Mailing List, Vendor Advisory security@apache.org Source: security@apache.org Type: Mailing List, Patch, Vendor Advisory security@apache.org Source: CCN Type: oss-sec Mailing List, Tue, 13 Jul 2021 04:00:47 +0000 CVE-2021-35515: Apache Commons Compress 1.6 to 1.20 denial of service vulnerability Source: security@apache.org Type: Third Party Advisory security@apache.org Source: CCN Type: IBM Security Bulletin 6480413 (Planning Analytics Local) IBM Planning Analytics Workspace is affected by security vulnerabilities Source: CCN Type: IBM Security Bulletin 6482503 (Content Navigator) IBM Content Navigator is vulnerable to a denial of service vulnerabilty. Source: CCN Type: IBM Security Bulletin 6484923 (Spectrum Protect Plus) Vulnerabilities in Apache Commons and Node.js affect IBM Spectrum Protect Plus Source: CCN Type: IBM Security Bulletin 6485153 (Spectrum Control) Vulnerabilities in Node.js, XStream and Apache Commons affect IBM Spectrum Control Source: CCN Type: IBM Security Bulletin 6490749 (Tivoli Netcool/OMNIbus) Multiple vulnerabilities in Apache Commons* affect Tivoli Netcool/OMNIbus WebGUI (CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090) Source: CCN Type: IBM Security Bulletin 6492217 (Watson Discovery) IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Apache Commons Compress Source: CCN Type: IBM Security Bulletin 6498123 (FileNet Content Manager) Apache commons-compress security vulnerabilities in IBM Content Manager Source: CCN Type: IBM Security Bulletin 6509082 (InfoSphere Information Server) IBM InfoSphere Information Server is affected by a denial of service vulnerability in Apache Commons Compress Source: CCN Type: IBM Security Bulletin 6516778 (Sterling Control Center) Apache Commons Compress Denial of Service Vulnerability Affects IBM Sterling Control Center (CVE-2021-35515) Source: CCN Type: IBM Security Bulletin 6525250 (Spectrum Copy Data Management) Vulnerabilities in PostgreSQL, Apache, Golang Go, and Linux Kernel affect IBM Spectrum Copy Data Management Source: CCN Type: IBM Security Bulletin 6527968 (Business Automation Workflow) Multiple security vulnerabilities with IBM Content Navigator component in IBM Business Automation Workflow -CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 Source: CCN Type: IBM Security Bulletin 6570915 (Data Risk Manager) IBM Data Risk Manager is affected by multiple vulnerabilities including a remote code execution in Spring Framework (CVE-2022-22965) Source: CCN Type: IBM Security Bulletin 6592779 (QRadar SIEM) Apache Commons as used by IBM QRadar SIEM is vulnerable to denial of service (CVE-2021-35515, CVE-2021-35516, CVE-2021-36090, CVE-2021-35517) Source: CCN Type: IBM Security Bulletin 6601115 (Tivoli Network Manager) Apache Commons as used by IBM Tivoli Network Manager is vulnerable to denial of service (CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090) Source: CCN Type: IBM Security Bulletin 6614553 (Sterling B2B Integrator) IBM Sterling B2B Integrator vulnerable to multiple vulnerabilities due to Apache Commons Compress Source: CCN Type: Oracle CPUApr2022 Oracle Critical Patch Update Advisory - April 2022 Source: security@apache.org Type: Patch, Third Party Advisory security@apache.org Source: security@apache.org Type: Patch, Third Party Advisory security@apache.org Source: security@apache.org Type: Patch, Third Party Advisory security@apache.org Source: security@apache.org Type: Patch, Third Party Advisory security@apache.org | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Vulnerable Configuration: | Configuration CCN 1: Denotes that component is vulnerable | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Oval Definitions | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| BACK | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||