oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2021-35515: Apache Commons Compress 1.6 to 1.20 denial of service vulnerability

From: Stefan Bodewig <bodewig () apache org>
Date: Tue, 13 Jul 2021 04:00:47 +0000
Severity: low

Description:

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result 
in an infinite loop.  This could be used to mount a denial of service attack against services that use Compress' sevenz 
package.


Mitigation:

Commons Compress users should upgrade to 1.21 or later.


Credit:

This issue was discovered by OSS Fuzz.

References:

https://commons.apache.org/proper/commons-compress/security-reports.html
Previous By Date Next
Previous By Thread Next

Current thread: