github - ghsa-5v34-g2px-j4fw

ghsa-5v34-g2px-j4fw

Vulnerability from github

Published

2021-08-02 16:56

Modified

2024-03-01 20:27

Severity

5.5 (Medium) - CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Summary

Improper Handling of Length Parameter Inconsistency in Apache Ant

Details

When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.ant:ant"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.9.0"
            },
            {
              "fixed": "1.9.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.ant:ant"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.10.0"
            },
            {
              "fixed": "1.10.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-36374"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-130"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-07-15T19:18:28Z",
    "nvd_published_at": "2021-07-14T07:15:00Z",
    "severity": "MODERATE"
  },
  "details": "When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.",
  "id": "GHSA-5v34-g2px-j4fw",
  "modified": "2024-03-01T20:27:26Z",
  "published": "2021-08-02T16:56:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36374"
    },
    {
      "type": "WEB",
      "url": "https://ant.apache.org/security.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750aa9447309b709a@%3Ccommits.groovy.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r544c9e8487431768465b8b2d13982c75123109bd816acf839d46010d@%3Ccommits.groovy.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rad36f470647c5a7c02dd78c9973356d2840766d132b597b6444e373a@%3Cnotifications.groovy.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38%40%3Cuser.ant.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rf4bb79751a02889623195715925e4fd8932dd3c97e0ade91395a96c6@%3Cdev.myfaces.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210819-0007"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Handling of Length Parameter Inconsistency in Apache Ant"
}

cve-2021-36374

Vulnerability from cvelistv5

Published

2021-07-14 06:20

Modified

2024-08-04 00:54

Severity

Summary

Apache Ant ZIP, and ZIP based, archive denial of service vulerability

References

URL	Tags
https://ant.apache.org/security.html	x_refsource_MISC
https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38%40%3Cuser.ant.apache.org%3E	x_refsource_MISC
https://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750aa9447309b709a%40%3Ccommits.groovy.apache.org%3E	mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r544c9e8487431768465b8b2d13982c75123109bd816acf839d46010d%40%3Ccommits.groovy.apache.org%3E	mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/rad36f470647c5a7c02dd78c9973356d2840766d132b597b6444e373a%40%3Cnotifications.groovy.apache.org%3E	mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/rf4bb79751a02889623195715925e4fd8932dd3c97e0ade91395a96c6%40%3Cdev.myfaces.apache.org%3E	mailing-list, x_refsource_MLIST
https://www.oracle.com/security-alerts/cpuoct2021.html	x_refsource_MISC
https://security.netapp.com/advisory/ntap-20210819-0007/	x_refsource_CONFIRM
https://www.oracle.com/security-alerts/cpujan2022.html	x_refsource_MISC
https://www.oracle.com/security-alerts/cpuapr2022.html	x_refsource_MISC
https://www.oracle.com/security-alerts/cpujul2022.html	x_refsource_MISC

Impacted products

Vendor	Product
Apache Software Foundation	Apache Ant

Show details on NVD website