CVE-2021-36374

Name: CVE-2021-36374
Creator: NVD / NIST
Published: 2021-07-14T07:15:08.4+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 5.5/10EPSS 2.62%

Last modified Jun 17, 2026

CVE-2021-36374 is a medium-severity vulnerability rated 5.5/10 on the CVSS scale. When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. EPSS estimates a 2.62% chance of exploitation in the next 30 days.

Description

When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.

Metrics

CVSS 3.1

5.5/10

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

EPSS Probability

2.62%

83.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-130

Affected Software

Vendor	Product	Versions
Apache	Ant	>= 1.9.0, < 1.9.16
Apache	Ant	>= 1.10.0, < 1.10.11
Oracle	Agile Engineering Data Management	6.2.1.0
Oracle	Agile Plm	9.3.6
Oracle	Banking Trade Finance	14.5
Oracle	Banking Treasury Management	14.5
Oracle	Communications Cloud Native Core Automated Test Suite	1.9.0
Oracle	Communications Cloud Native Core Binding Support Function	1.11.0
Oracle	Communications Diameter Intelligence Hub	>= 8.0.0, <= 8.1.0
Oracle	Communications Diameter Intelligence Hub	>= 8.2.0, <= 8.2.3
Oracle	Communications Order And Service Management	7.3
Oracle	Communications Order And Service Management	7.4
Oracle	Communications Unified Inventory Management	7.3.0
Oracle	Communications Unified Inventory Management	7.4.0
Oracle	Communications Unified Inventory Management	7.4.1
Oracle	Communications Unified Inventory Management	7.4.2
Oracle	Communications Unified Inventory Management	7.5.0
Oracle	Enterprise Repository	11.1.1.7.0
Oracle	Financial Services Analytical Applications Infrastructure	>= 8.0.6, <= 8.1.1
Oracle	Health Sciences Information Manager	>= 3.0.1, <= 3.0.5
Oracle	Health Sciences Information Manager	3.0.0.1
Oracle	Insurance Policy Administration	>= 11.0, <= 11.3.1
Oracle	Primavera Gateway	>= 17.12.0, <= 17.12.11
Oracle	Primavera Gateway	>= 18.8.0, <= 18.8.12
Oracle	Primavera Gateway	>= 19.12.0, <= 19.12.11
Oracle	Primavera Gateway	>= 20.12.0, <= 20.12.7
Oracle	Primavera Unifier	>= 17.7, <= 17.12
Oracle	Primavera Unifier	18.8
Oracle	Primavera Unifier	19.12
Oracle	Primavera Unifier	20.12
Oracle	Product Lifecycle Analytics	3.6.1
Oracle	Real-Time Decision Server	3.2.0.0
Oracle	Real-Time Decision Server	11.1.1.9.0
Oracle	Retail Advanced Inventory Planning	14.1
Oracle	Retail Advanced Inventory Planning	15.0
Oracle	Retail Advanced Inventory Planning	16.0
Oracle	Retail Back Office	14.0
Oracle	Retail Back Office	14.1
Oracle	Retail Bulk Data Integration	16.0.3.0
Oracle	Retail Bulk Data Integration	19.0.1
Oracle	Retail Central Office	14.0
Oracle	Retail Central Office	14.1
Oracle	Retail Eftlink	19.0.1
Oracle	Retail Eftlink	20.0.1
Oracle	Retail Extract Transform And Load	13.2.8
Oracle	Retail Financial Integration	14.1.3.2
Oracle	Retail Financial Integration	15.0.4.0
Oracle	Retail Financial Integration	16.0.3.0
Oracle	Retail Integration Bus	14.1.3.2
Oracle	Retail Integration Bus	15.0.4.0

Showing 50 of 79 affected configurations. See NVD for the full list.

References

https://ant.apache.org/security.htmlPatch, Vendor Advisory
https://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750aa9447309b709a%40%3Ccommits.groovy.apache.org%3E
https://lists.apache.org/thread.html/r544c9e8487431768465b8b2d13982c75123109bd816acf839d46010d%40%3Ccommits.groovy.apache.org%3E
https://lists.apache.org/thread.html/rad36f470647c5a7c02dd78c9973356d2840766d132b597b6444e373a%40%3Cnotifications.groovy.apache.org%3E
https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38%40%3Cuser.ant.apache.org%3EMailing List, Vendor Advisory
https://lists.apache.org/thread.html/rf4bb79751a02889623195715925e4fd8932dd3c97e0ade91395a96c6%40%3Cdev.myfaces.apache.org%3E
https://security.netapp.com/advisory/ntap-20210819-0007/Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
https://ant.apache.org/security.htmlPatch, Vendor Advisory
https://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750aa9447309b709a%40%3Ccommits.groovy.apache.org%3E
https://lists.apache.org/thread.html/r544c9e8487431768465b8b2d13982c75123109bd816acf839d46010d%40%3Ccommits.groovy.apache.org%3E
https://lists.apache.org/thread.html/rad36f470647c5a7c02dd78c9973356d2840766d132b597b6444e373a%40%3Cnotifications.groovy.apache.org%3E
https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38%40%3Cuser.ant.apache.org%3EMailing List, Vendor Advisory
https://lists.apache.org/thread.html/rf4bb79751a02889623195715925e4fd8932dd3c97e0ade91395a96c6%40%3Cdev.myfaces.apache.org%3E
https://security.netapp.com/advisory/ntap-20210819-0007/Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory

Timeline

Published: Jul 14, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-36374?

How severe is CVE-2021-36374?

CVE-2021-36374 has a CVSS score of 5.5/10 (MEDIUM severity). The EPSS model estimates a 2.62% probability of exploitation in the next 30 days.

How do I fix CVE-2021-36374?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-36374?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST