Vulnerability Details : CVE-2021-35940
An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue.
Products affected by CVE-2021-35940
- cpe:2.3:a:apache:portable_runtime:1.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:http_server:12.2.1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:http_server:12.2.1.4.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-35940
0.08%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 33 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-35940
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.6
|
LOW | AV:L/AC:L/Au:N/C:P/I:N/A:P |
3.9
|
4.9
|
NIST | |
7.1
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H |
1.8
|
5.2
|
NIST |
CWE ids for CVE-2021-35940
-
The product reads data past the end, or before the beginning, of the intended buffer.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-35940
-
https://dist.apache.org/repos/dist/release/apr/patches/apr-1.7.0-CVE-2021-35940.patch
Patch;Vendor Advisory
-
https://lists.apache.org/thread.html/r72a069753b9363c29732e59ad8f0d22a633fb6a699980407511ac961@%3Cdev.apr.apache.org%3E
Re: APR 1.7.1 release? - Pony MailMailing List;Vendor Advisory
-
http://svn.apache.org/viewvc?view=revision&revision=1891198
[Apache-SVN] Revision 1891198Vendor Advisory
-
https://lists.apache.org/thread.html/r7bb4a6ed88fc48152174e664aae30ea9a8b058eb5b44cf08cb9beb4b@%3Cdev.apr.apache.org%3E
APR 1.7.1 release? - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/ra38094406cc38a05218ebd1158187feda021b0c3a1df400bbf296af8@%3Cdev.apr.apache.org%3E
Re: CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/rb1f3c85f50fbd924a0051675118d1609e57957a02ece7facb723155b@%3Cannounce.apache.org%3E
CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613 - Pony MailMailing List;Patch;Vendor Advisory
-
http://mail-archives.apache.org/mod_mbox/www-announce/201710.mbox/%3CCACsi251B8UaLvM-rrH9fv57-zWi0zhyF3275_jPg1a9VEVVoxw@mail.gmail.com%3E
[Announce] Apache Portable Runtime APR 1.6.3, APR-util 1.6.1 and APR-iconv 1.2.2 ReleasedMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r7bb4a6ed88fc48152174e664aae30ea9a8b058eb5b44cf08cb9beb4b@%3Cdev.httpd.apache.org%3E
APR 1.7.1 release? - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r317c398ee5736e627f7887b06607e5c58b45a696d352ba8c14615f55@%3Cdev.apr.apache.org%3E
Re: APR 1.7.1 release? - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/rafe54755850e93de287c36540972457b2dd86332106aa7817c7c27fb@%3Cdev.tomcat.apache.org%3E
[jira] [Commented] (MTOMCAT-327) Tomcat 9.0.50 and it has apr-1.7.0 dependency, with Address CVE-2021-35940 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r54c755c74b9e3846cfd84039b1967d37d2870750a02d7c603983f6ed@%3Cdev.tomcat.apache.org%3E
[jira] [Resolved] (MTOMCAT-327) Tomcat 9.0.50 and it has apr-1.7.0 dependency, with Address CVE-2021-35940 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r1c788464a25fbc046a72aff451bc8186386315d92a2dd0349903fa4f@%3Cdev.tomcat.apache.org%3E
[jira] [Reopened] (MTOMCAT-327) Tomcat 9.0.50 and it has apr-1.7.0 dependency, with Address CVE-2021-35940 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/ra2868b53339a6af65577146ad87016368c138388b09bff9d2860f50e@%3Cdev.apr.apache.org%3E
Mailing List;Vendor Advisory
-
http://www.openwall.com/lists/oss-security/2021/08/23/1
oss-security - CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613Mailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/r72479f4dcffaa8a4732d5a0e87fecc4bace4932e28fc26f7d400e2b3@%3Cdev.tomcat.apache.org%3E
[jira] [Created] (MTOMCAT-327) Tomcat 9.0.50 and it has apr-1.7.0 dependency, with Address CVE-2021-35940 - Pony MailMailing List;Vendor Advisory
-
https://www.oracle.com/security-alerts/cpujul2022.html
Oracle Critical Patch Update Advisory - July 2022Patch;Third Party Advisory
-
https://lists.apache.org/thread.html/ra2868b53339a6af65577146ad87016368c138388b09bff9d2860f50e%40%3Cdev.apr.apache.org%3E
CVE-2021-35940: Apache Portable Runtime (APR): Regression of CVE-2017-12613 - Pony MailMailing List;Vendor Advisory
Jump to