CVE-2021-36374

CVE-2021-36374

Name

CVE-2021-36374

Description

When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38%40%3Cuser.ant.apache.org%3E
MISC	https://ant.apache.org/security.html
MLIST	https://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750aa9447309b709a@%3Ccommits.groovy.apache.org%3E
MLIST	https://lists.apache.org/thread.html/r544c9e8487431768465b8b2d13982c75123109bd816acf839d46010d@%3Ccommits.groovy.apache.org%3E
MLIST	https://lists.apache.org/thread.html/rad36f470647c5a7c02dd78c9973356d2840766d132b597b6444e373a@%3Cnotifications.groovy.apache.org%3E
Third Party Advisory	https://security.netapp.com/advisory/ntap-20210819-0007/
Mailing List	https://lists.apache.org/thread.html/rf4bb79751a02889623195715925e4fd8932dd3c97e0ade91395a96c6@%3Cdev.myfaces.apache.org%3E
MISC	https://www.oracle.com/security-alerts/cpuoct2021.html
Patch	https://www.oracle.com/security-alerts/cpujan2022.html
MISC	https://www.oracle.com/security-alerts/cpuapr2022.html

Type

URI

MISC

https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38%40%3Cuser.ant.apache.org%3E

MISC

https://ant.apache.org/security.html

MLIST

https://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750aa9447309b709a@%3Ccommits.groovy.apache.org%3E

MLIST

https://lists.apache.org/thread.html/r544c9e8487431768465b8b2d13982c75123109bd816acf839d46010d@%3Ccommits.groovy.apache.org%3E

MLIST

https://lists.apache.org/thread.html/rad36f470647c5a7c02dd78c9973356d2840766d132b597b6444e373a@%3Cnotifications.groovy.apache.org%3E

Third Party Advisory

https://security.netapp.com/advisory/ntap-20210819-0007/

Mailing List

https://lists.apache.org/thread.html/rf4bb79751a02889623195715925e4fd8932dd3c97e0ade91395a96c6@%3Cdev.myfaces.apache.org%3E

MISC

https://www.oracle.com/security-alerts/cpuoct2021.html

Patch

https://www.oracle.com/security-alerts/cpujan2022.html

MISC

https://www.oracle.com/security-alerts/cpuapr2022.html

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:apache:ant::::::::`	ant	>= 1.9.0	< 1.9.16
`cpe:2.3:a:apache:ant::::::::`	ant	>= 1.10.0	< 1.10.11

CPE URI

Source package

Min version

Max version

cpe:2.3:a:apache:ant:*:*:*:*:*:*:*:*

ant

>= 1.9.0

< 1.9.16

cpe:2.3:a:apache:ant:*:*:*:*:*:*:*:*

ant

>= 1.10.0

< 1.10.11

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
apache-ant	edge-community	1.10.11-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
apache-ant	3.22-community	1.10.11-r0	None	fixed
apache-ant	3.21-community	1.10.11-r0	None	fixed
apache-ant	3.20-community	1.10.11-r0	None	fixed
apache-ant	3.19-community	1.10.11-r0	None	fixed
apache-ant	3.18-community	1.10.11-r0	None	fixed
apache-ant	3.17-community	1.10.11-r0	None	fixed

Source package

Branch

Version

Maintainer

Status

apache-ant

edge-community

1.10.11-r0

Jakub Jirutka <jakub@jirutka.cz>

fixed

apache-ant

3.22-community