CVE-2021-35515 (High) detected in commons-compress-1.20.jar #9
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
mend-bolt-for-github
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2021-35515 - High Severity Vulnerability
Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
Library home page: https://commons.apache.org/proper/commons-compress/
Path to dependency file: Code2Graph/client/build.gradle
Path to vulnerable library: /tmp/ws-ua_20210816014708_PTEZBB/downloadResource_SMPNAH/20210816015442/commons-compress-1.20.jar
Dependency Hierarchy:
Found in HEAD commit: 1321c443be3c5e8f97221bdffb8d95eda0aa3c94
Found in base branch: main
When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
Publish Date: 2021-07-13
URL: CVE-2021-35515
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://commons.apache.org/proper/commons-compress/security-reports.html
Release Date: 2021-07-13
Fix Resolution: org.apache.commons:commons-compress:1.21
Step up your Open Source Security Game with WhiteSource here
The text was updated successfully, but these errors were encountered: