Apache Commons Compress 1.6 to 1.20 denial of service vulnerability
CVE-2021-35515

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Commons Compress
Vendor: CVE Published:; 13 July 2021

Summary

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Affected Version(s)

Apache Commons Compress 1.6

References

https://commons.apache.org/proper/commons-compress/securi...

x_refsource_MISC

https://lists.apache.org/thread.html/r19ebfd71770ec0617a9...

x_refsource_MISC

http://www.openwall.com/lists/oss-security/2021/07/13/1

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 13, 2021
Vulnerability Reserved
Jun 27, 2021

Credit

This issue was discovered by OSS Fuzz.