CVE-2021-36374 : When reading a specially crafted ZIP archive, or a derived formats, an Apache An

When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.

Published 2021-07-14 07:15:08

Updated 2023-02-28 15:22:30

Source Apache Software Foundation

View at NVD, CVE.org

Products affected by CVE-2021-36374

Apache » ANT
Versions from including (>=) 1.10.0 and before (<) 1.10.11
cpe:2.3:a:apache:ant:*:*:*:*:*:*:*:*
Matching versions
Apache » ANT
Versions from including (>=) 1.9.0 and before (<) 1.9.16
cpe:2.3:a:apache:ant:*:*:*:*:*:*:*:*
Matching versions
Oracle » Timesten In-memory Database
Versions before (<) 11.2.2.8.27
cpe:2.3:a:oracle:timesten_in-memory_database:*:*:*:*:*:*:*:*
Matching versions
Oracle » Agile Engineering Data Management » Version: 6.2.1.0
cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Xstore Point Of Service » Version: 16.0.6
cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.6:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Xstore Point Of Service » Version: 17.0.4
cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Xstore Point Of Service » Version: 18.0.3
cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Xstore Point Of Service » Version: 19.0.2
cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Xstore Point Of Service » Version: 20.0.1
cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Integration Bus » Version: 14.1.3.2
cpe:2.3:a:oracle:retail_integration_bus:14.1.3.2:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Integration Bus » Version: 15.0.4.0
cpe:2.3:a:oracle:retail_integration_bus:15.0.4.0:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Integration Bus » Version: 16.0.3.0
cpe:2.3:a:oracle:retail_integration_bus:16.0.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Integration Bus » Version: 19.0.1.0
cpe:2.3:a:oracle:retail_integration_bus:19.0.1.0:*:*:*:*:*:*:*
Matching versions
Oracle » Health Sciences Information Manager
Versions from including (>=) 3.0.1 and up to, including, (<=) 3.0.5
cpe:2.3:a:oracle:health_sciences_information_manager:*:*:*:*:*:*:*:*
Matching versions
Oracle » Health Sciences Information Manager » Version: 3.0.0.1
cpe:2.3:a:oracle:health_sciences_information_manager:3.0.0.1:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Service Backbone » Version: 14.1.3.2
cpe:2.3:a:oracle:retail_service_backbone:14.1.3.2:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Service Backbone » Version: 15.0.4.0
cpe:2.3:a:oracle:retail_service_backbone:15.0.4.0:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Service Backbone » Version: 16.0.3.0
cpe:2.3:a:oracle:retail_service_backbone:16.0.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Service Backbone » Version: 19.0.1.0
cpe:2.3:a:oracle:retail_service_backbone:19.0.1.0:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Store Inventory Management » Version: 14.1
cpe:2.3:a:oracle:retail_store_inventory_management:14.1:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Store Inventory Management » Version: 16.0
cpe:2.3:a:oracle:retail_store_inventory_management:16.0:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Store Inventory Management » Version: 15.0
cpe:2.3:a:oracle:retail_store_inventory_management:15.0:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera Gateway
Versions from including (>=) 17.12.0 and up to, including, (<=) 17.12.11
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera Gateway
Versions from including (>=) 20.12.0 and up to, including, (<=) 20.12.7
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera Gateway
Versions from including (>=) 18.8.0 and up to, including, (<=) 18.8.12
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera Gateway
Versions from including (>=) 19.12.0 and up to, including, (<=) 19.12.11
cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera Unifier
Versions from including (>=) 17.7 and up to, including, (<=) 17.12
cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera Unifier » Version: 18.8
cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera Unifier » Version: 19.12
cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*
Matching versions
Oracle » Primavera Unifier » Version: 20.12
cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Invoice Matching » Version: 16.0.3
cpe:2.3:a:oracle:retail_invoice_matching:16.0.3:*:*:*:*:*:*:*
Matching versions
Oracle » Enterprise Repository » Version: 11.1.1.7.0
cpe:2.3:a:oracle:enterprise_repository:11.1.1.7.0:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Back Office » Version: 14.1
cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Back Office » Version: 14.0
cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Point-of-service » Version: 14.0
cpe:2.3:a:oracle:retail_point-of-service:14.0:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Point-of-service » Version: 14.1
cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Merchandising System » Version: 19.0.1
cpe:2.3:a:oracle:retail_merchandising_system:19.0.1:*:*:*:*:*:*:*
Matching versions
Oracle » Financial Services Analytical Applications Infrastructure
Versions from including (>=) 8.0.6 and up to, including, (<=) 8.1.1
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Order And Service Management » Version: 7.4
cpe:2.3:a:oracle:communications_order_and_service_management:7.4:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Order And Service Management » Version: 7.3
cpe:2.3:a:oracle:communications_order_and_service_management:7.3:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Unified Inventory Management » Version: 7.4.0
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Unified Inventory Management » Version: 7.3.0
cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Unified Inventory Management » Version: 7.4.1
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Unified Inventory Management » Version: 7.4.2
cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Unified Inventory Management » Version: 7.5.0
cpe:2.3:a:oracle:communications_unified_inventory_management:7.5.0:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Central Office » Version: 14.1
cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Central Office » Version: 14.0
cpe:2.3:a:oracle:retail_central_office:14.0:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Bulk Data Integration » Version: 16.0.3.0
cpe:2.3:a:oracle:retail_bulk_data_integration:16.0.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Bulk Data Integration » Version: 19.0.1
cpe:2.3:a:oracle:retail_bulk_data_integration:19.0.1:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Predictive Application Server » Version: 15.0.3
cpe:2.3:a:oracle:retail_predictive_application_server:15.0.3:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Predictive Application Server » Version: 16.0.3.0
cpe:2.3:a:oracle:retail_predictive_application_server:16.0.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Predictive Application Server » Version: 14.1.3
cpe:2.3:a:oracle:retail_predictive_application_server:14.1.3:*:*:*:*:*:*:*
Matching versions
Oracle » Insurance Policy Administration
Versions from including (>=) 11.0 and up to, including, (<=) 11.3.1
cpe:2.3:a:oracle:insurance_policy_administration:*:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Extract Transform And Load » Version: 13.2.8
cpe:2.3:a:oracle:retail_extract_transform_and_load:13.2.8:*:*:*:*:*:*:*
Matching versions
Oracle » Utilities Framework
Versions from including (>=) 4.3.0.1.0 and up to, including, (<=) 4.3.0.6.0
cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:*
Matching versions
Oracle » Utilities Framework » Version: 4.2.0.2.0
cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0:*:*:*:*:*:*:*
Matching versions
Oracle » Utilities Framework » Version: 4.2.0.3.0
cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Utilities Framework » Version: 4.4.0.0.0
cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:*
Matching versions
Oracle » Utilities Framework » Version: 4.4.0.2.0
cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:*
Matching versions
Oracle » Utilities Framework » Version: 4.4.0.3.0
cpe:2.3:a:oracle:utilities_framework:4.4.0.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Agile Plm » Version: 9.3.6
cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Financial Integration » Version: 14.1.3.2
cpe:2.3:a:oracle:retail_financial_integration:14.1.3.2:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Financial Integration » Version: 15.0.4.0
cpe:2.3:a:oracle:retail_financial_integration:15.0.4.0:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Financial Integration » Version: 16.0.3.0
cpe:2.3:a:oracle:retail_financial_integration:16.0.3.0:*:*:*:*:*:*:*
Matching versions
Oracle » Real-time Decision Server » Version: 3.2.0.0
cpe:2.3:a:oracle:real-time_decision_server:3.2.0.0:*:*:*:*:*:*:*
Matching versions
Oracle » Real-time Decision Server » Version: 11.1.1.9.0
cpe:2.3:a:oracle:real-time_decision_server:11.1.1.9.0:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Advanced Inventory Planning » Version: 14.1
cpe:2.3:a:oracle:retail_advanced_inventory_planning:14.1:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Advanced Inventory Planning » Version: 15.0
cpe:2.3:a:oracle:retail_advanced_inventory_planning:15.0:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Advanced Inventory Planning » Version: 16.0
cpe:2.3:a:oracle:retail_advanced_inventory_planning:16.0:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Treasury Management » Version: 14.5
cpe:2.3:a:oracle:banking_treasury_management:14.5:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Eftlink » Version: 19.0.1
cpe:2.3:a:oracle:retail_eftlink:19.0.1:*:*:*:*:*:*:*
Matching versions
Oracle » Retail Eftlink » Version: 20.0.1
cpe:2.3:a:oracle:retail_eftlink:20.0.1:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Binding Support Function » Version: 1.11.0
cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.11.0:*:*:*:*:*:*:*
Matching versions
Oracle » Utilities Testing Accelerator » Version: 6.0.0.1.1
cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Automated Test Suite » Version: 1.9.0
cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0:*:*:*:*:*:*:*
Matching versions
Oracle » Product Lifecycle Analytics » Version: 3.6.1
cpe:2.3:a:oracle:product_lifecycle_analytics:3.6.1:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Trade Finance » Version: 14.5
cpe:2.3:a:oracle:banking_trade_finance:14.5:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Diameter Intelligence Hub
Versions from including (>=) 8.0.0 and up to, including, (<=) 8.1.0
cpe:2.3:a:oracle:communications_diameter_intelligence_hub:*:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Diameter Intelligence Hub
Versions from including (>=) 8.2.0 and up to, including, (<=) 8.2.3
cpe:2.3:a:oracle:communications_diameter_intelligence_hub:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-36374

EPSS FAQ

0.15%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 32 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-36374

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:N/A:P	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
5.5	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H	1.8	3.6	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: None Availability: High
5.5	MEDIUM	AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H	N/A	N/A	Oracle:CPUOct2023
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2021-36374

CWE-130 Improper Handling of Length Parameter Inconsistency

The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.

Assigned by: security@apache.org (Secondary)

References for CVE-2021-36374

https://lists.apache.org/thread.html/rad36f470647c5a7c02dd78c9973356d2840766d132b597b6444e373a@%3Cnotifications.groovy.apache.org%3E

[jira] [Resolved] (GROOVY-10169) Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374) - Pony Mail
Mailing List;Vendor Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/rf4bb79751a02889623195715925e4fd8932dd3c97e0ade91395a96c6@%3Cdev.myfaces.apache.org%3E

[GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #1215: build: CVE fix - Pony Mail
Mailing List;Vendor Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpuapr2022.html

Oracle Critical Patch Update Advisory - April 2022
Patch;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r544c9e8487431768465b8b2d13982c75123109bd816acf839d46010d@%3Ccommits.groovy.apache.org%3E

[groovy] 02/07: GROOVY-10169: Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374) - Pony Mail
Mailing List;Vendor Advisory

CVEs referencing this url
https://ant.apache.org/security.html

Apache Ant - Apache Ant Security Reports
Patch;Vendor Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpujan2022.html

Oracle Critical Patch Update Advisory - January 2022
Patch;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38%40%3Cuser.ant.apache.org%3E

CVE-2021-36374: Apache Ant ZIP, and ZIP based, archive denial of service vulerability - Pony Mail
Mailing List;Vendor Advisory
https://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750aa9447309b709a@%3Ccommits.groovy.apache.org%3E

[groovy] 08/09: GROOVY-10169: Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374) - Pony Mail
Mailing List;Vendor Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20210819-0007/

July 2021 Apache Ant Vulnerabilities in NetApp Products | NetApp Product Security
Third Party Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpuoct2021.html

Oracle Critical Patch Update Advisory - October 2021
Patch;Third Party Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpujul2022.html

Oracle Critical Patch Update Advisory - July 2022
Patch;Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2021-36374

Products affected by CVE-2021-36374

Exploit prediction scoring system (EPSS) score for CVE-2021-36374

CVSS scores for CVE-2021-36374

CWE ids for CVE-2021-36374

References for CVE-2021-36374