Strix
26.1K

CVE-2021-35515

HIGHCVSS 7.5/10EPSS 11.88%

Last modified

CVE-2021-35515 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.. EPSS estimates a 11.88% chance of exploitation in the next 30 days.

Description

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Metrics

CVSS 3.1
7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability
11.88%

95.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
ApacheCommons Compress>= 1.6, <= 1.20
NetappActive Iq Unified ManagerAll versions
NetappOncommand InsightAll versions
OracleBanking Digital Experience>= 18.1, <= 18.3
OracleBanking Digital Experience19.1
OracleBanking Digital Experience20.1
OracleBanking Digital Experience21.1
OracleBanking Enterprise Default Management2.7.0
OracleBanking Party Management2.7.0
OracleBanking Payments14.5
OracleBanking Trade Finance14.5
OracleBanking Treasury Management14.5
OracleBusiness Process Management Suite12.2.1.3.0
OracleBusiness Process Management Suite12.2.1.4.0
OracleCommerce Guided Search11.3.2
OracleCommunications Billing And Revenue Management12.0.0.4
OracleCommunications Cloud Native Core Automated Test Suite1.8.0
OracleCommunications Cloud Native Core Service Communication Proxy1.14.0
OracleCommunications Cloud Native Core Unified Data Repository1.14.0
OracleCommunications Diameter Intelligence Hub>= 8.0.0, <= 8.2.3
OracleCommunications Session Route Manager>= 8.0.0, <= 8.2.5
OracleFinancial Services Crime And Compliance Management Studio8.0.8.2.0
OracleFinancial Services Crime And Compliance Management Studio8.0.8.3.0
OracleFinancial Services Enterprise Case Management8.0.7.2.0
OracleFinancial Services Enterprise Case Management8.0.8.1.0
OracleFlexcube Universal Banking>= 14.0.0, <= 14.3.0
OracleFlexcube Universal Banking12.4.0
OracleFlexcube Universal Banking14.5.0
OracleHealthcare Data Repository8.1.0
OracleInsurance Policy Administration11.0.2
OracleInsurance Policy Administration11.1.0
OracleInsurance Policy Administration11.2.8
OracleInsurance Policy Administration11.3.0
OracleInsurance Policy Administration11.3.1
OraclePeoplesoft Enterprise Peopletools8.57
OraclePeoplesoft Enterprise Peopletools8.58
OraclePeoplesoft Enterprise Peopletools8.59
OraclePrimavera Unifier>= 17.7, <= 17.12
OraclePrimavera Unifier18.8
OraclePrimavera Unifier19.12
OraclePrimavera Unifier20.12
OracleUtilities Testing Accelerator6.0.0.1.1
OracleUtilities Testing Accelerator6.0.0.2.2
OracleUtilities Testing Accelerator6.0.0.3.1
OracleCommunications Messaging Server8.1

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2021-35515?
When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
How severe is CVE-2021-35515?
CVE-2021-35515 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 11.88% probability of exploitation in the next 30 days.
How do I fix CVE-2021-35515?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-35515?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST