csaf_opensuse - opensuse-su-2024:11688-1

OPENSUSE-SU-2024:11688-1

Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00

Summary

ant-1.10.12-1.1 on GA media

Notes

Title of the patch

ant-1.10.12-1.1 on GA media

Description of the patch

These are all security issues fixed in the ant-1.10.12-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2024-11688

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "ant-1.10.12-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the ant-1.10.12-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-11688",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11688-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-36373 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-36373/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2021-36374 page",
        "url": "https://www.suse.com/security/cve/CVE-2021-36374/"
      }
    ],
    "title": "ant-1.10.12-1.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:11688-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ant-1.10.12-1.1.aarch64",
                "product": {
                  "name": "ant-1.10.12-1.1.aarch64",
                  "product_id": "ant-1.10.12-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "ant-jmf-1.10.12-1.1.aarch64",
                "product": {
                  "name": "ant-jmf-1.10.12-1.1.aarch64",
                  "product_id": "ant-jmf-1.10.12-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "ant-scripts-1.10.12-1.1.aarch64",
                "product": {
                  "name": "ant-scripts-1.10.12-1.1.aarch64",
                  "product_id": "ant-scripts-1.10.12-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "ant-swing-1.10.12-1.1.aarch64",
                "product": {
                  "name": "ant-swing-1.10.12-1.1.aarch64",
                  "product_id": "ant-swing-1.10.12-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ant-1.10.12-1.1.ppc64le",
                "product": {
                  "name": "ant-1.10.12-1.1.ppc64le",
                  "product_id": "ant-1.10.12-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "ant-jmf-1.10.12-1.1.ppc64le",
                "product": {
                  "name": "ant-jmf-1.10.12-1.1.ppc64le",
                  "product_id": "ant-jmf-1.10.12-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "ant-scripts-1.10.12-1.1.ppc64le",
                "product": {
                  "name": "ant-scripts-1.10.12-1.1.ppc64le",
                  "product_id": "ant-scripts-1.10.12-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "ant-swing-1.10.12-1.1.ppc64le",
                "product": {
                  "name": "ant-swing-1.10.12-1.1.ppc64le",
                  "product_id": "ant-swing-1.10.12-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ant-1.10.12-1.1.s390x",
                "product": {
                  "name": "ant-1.10.12-1.1.s390x",
                  "product_id": "ant-1.10.12-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "ant-jmf-1.10.12-1.1.s390x",
                "product": {
                  "name": "ant-jmf-1.10.12-1.1.s390x",
                  "product_id": "ant-jmf-1.10.12-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "ant-scripts-1.10.12-1.1.s390x",
                "product": {
                  "name": "ant-scripts-1.10.12-1.1.s390x",
                  "product_id": "ant-scripts-1.10.12-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "ant-swing-1.10.12-1.1.s390x",
                "product": {
                  "name": "ant-swing-1.10.12-1.1.s390x",
                  "product_id": "ant-swing-1.10.12-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ant-1.10.12-1.1.x86_64",
                "product": {
                  "name": "ant-1.10.12-1.1.x86_64",
                  "product_id": "ant-1.10.12-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "ant-jmf-1.10.12-1.1.x86_64",
                "product": {
                  "name": "ant-jmf-1.10.12-1.1.x86_64",
                  "product_id": "ant-jmf-1.10.12-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "ant-scripts-1.10.12-1.1.x86_64",
                "product": {
                  "name": "ant-scripts-1.10.12-1.1.x86_64",
                  "product_id": "ant-scripts-1.10.12-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "ant-swing-1.10.12-1.1.x86_64",
                "product": {
                  "name": "ant-swing-1.10.12-1.1.x86_64",
                  "product_id": "ant-swing-1.10.12-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ant-1.10.12-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ant-1.10.12-1.1.aarch64"
        },
        "product_reference": "ant-1.10.12-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ant-1.10.12-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ant-1.10.12-1.1.ppc64le"
        },
        "product_reference": "ant-1.10.12-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ant-1.10.12-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ant-1.10.12-1.1.s390x"
        },
        "product_reference": "ant-1.10.12-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ant-1.10.12-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ant-1.10.12-1.1.x86_64"
        },
        "product_reference": "ant-1.10.12-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ant-jmf-1.10.12-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ant-jmf-1.10.12-1.1.aarch64"
        },
        "product_reference": "ant-jmf-1.10.12-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ant-jmf-1.10.12-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ant-jmf-1.10.12-1.1.ppc64le"
        },
        "product_reference": "ant-jmf-1.10.12-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ant-jmf-1.10.12-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ant-jmf-1.10.12-1.1.s390x"
        },
        "product_reference": "ant-jmf-1.10.12-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ant-jmf-1.10.12-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ant-jmf-1.10.12-1.1.x86_64"
        },
        "product_reference": "ant-jmf-1.10.12-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ant-scripts-1.10.12-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ant-scripts-1.10.12-1.1.aarch64"
        },
        "product_reference": "ant-scripts-1.10.12-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ant-scripts-1.10.12-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ant-scripts-1.10.12-1.1.ppc64le"
        },
        "product_reference": "ant-scripts-1.10.12-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ant-scripts-1.10.12-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ant-scripts-1.10.12-1.1.s390x"
        },
        "product_reference": "ant-scripts-1.10.12-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ant-scripts-1.10.12-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ant-scripts-1.10.12-1.1.x86_64"
        },
        "product_reference": "ant-scripts-1.10.12-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ant-swing-1.10.12-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ant-swing-1.10.12-1.1.aarch64"
        },
        "product_reference": "ant-swing-1.10.12-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ant-swing-1.10.12-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ant-swing-1.10.12-1.1.ppc64le"
        },
        "product_reference": "ant-swing-1.10.12-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ant-swing-1.10.12-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ant-swing-1.10.12-1.1.s390x"
        },
        "product_reference": "ant-swing-1.10.12-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ant-swing-1.10.12-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ant-swing-1.10.12-1.1.x86_64"
        },
        "product_reference": "ant-swing-1.10.12-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-36373",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-36373"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ant-1.10.12-1.1.aarch64",
          "openSUSE Tumbleweed:ant-1.10.12-1.1.ppc64le",
          "openSUSE Tumbleweed:ant-1.10.12-1.1.s390x",
          "openSUSE Tumbleweed:ant-1.10.12-1.1.x86_64",
          "openSUSE Tumbleweed:ant-jmf-1.10.12-1.1.aarch64",
          "openSUSE Tumbleweed:ant-jmf-1.10.12-1.1.ppc64le",
          "openSUSE Tumbleweed:ant-jmf-1.10.12-1.1.s390x",
          "openSUSE Tumbleweed:ant-jmf-1.10.12-1.1.x86_64",
          "openSUSE Tumbleweed:ant-scripts-1.10.12-1.1.aarch64",
          "openSUSE Tumbleweed:ant-scripts-1.10.12-1.1.ppc64le",
          "openSUSE Tumbleweed:ant-scripts-1.10.12-1.1.s390x",
          "openSUSE Tumbleweed:ant-scripts-1.10.12-1.1.x86_64",
          "openSUSE Tumbleweed:ant-swing-1.10.12-1.1.aarch64",
          "openSUSE Tumbleweed:ant-swing-1.10.12-1.1.ppc64le",
          "openSUSE Tumbleweed:ant-swing-1.10.12-1.1.s390x",
          "openSUSE Tumbleweed:ant-swing-1.10.12-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-36373",
          "url": "https://www.suse.com/security/cve/CVE-2021-36373"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1188468 for CVE-2021-36373",
          "url": "https://bugzilla.suse.com/1188468"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ant-1.10.12-1.1.aarch64",
            "openSUSE Tumbleweed:ant-1.10.12-1.1.ppc64le",
            "openSUSE Tumbleweed:ant-1.10.12-1.1.s390x",
            "openSUSE Tumbleweed:ant-1.10.12-1.1.x86_64",
            "openSUSE Tumbleweed:ant-jmf-1.10.12-1.1.aarch64",
            "openSUSE Tumbleweed:ant-jmf-1.10.12-1.1.ppc64le",
            "openSUSE Tumbleweed:ant-jmf-1.10.12-1.1.s390x",
            "openSUSE Tumbleweed:ant-jmf-1.10.12-1.1.x86_64",
            "openSUSE Tumbleweed:ant-scripts-1.10.12-1.1.aarch64",
            "openSUSE Tumbleweed:ant-scripts-1.10.12-1.1.ppc64le",
            "openSUSE Tumbleweed:ant-scripts-1.10.12-1.1.s390x",
            "openSUSE Tumbleweed:ant-scripts-1.10.12-1.1.x86_64",
            "openSUSE Tumbleweed:ant-swing-1.10.12-1.1.aarch64",
            "openSUSE Tumbleweed:ant-swing-1.10.12-1.1.ppc64le",
            "openSUSE Tumbleweed:ant-swing-1.10.12-1.1.s390x",
            "openSUSE Tumbleweed:ant-swing-1.10.12-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ant-1.10.12-1.1.aarch64",
            "openSUSE Tumbleweed:ant-1.10.12-1.1.ppc64le",
            "openSUSE Tumbleweed:ant-1.10.12-1.1.s390x",
            "openSUSE Tumbleweed:ant-1.10.12-1.1.x86_64",
            "openSUSE Tumbleweed:ant-jmf-1.10.12-1.1.aarch64",
            "openSUSE Tumbleweed:ant-jmf-1.10.12-1.1.ppc64le",
            "openSUSE Tumbleweed:ant-jmf-1.10.12-1.1.s390x",
            "openSUSE Tumbleweed:ant-jmf-1.10.12-1.1.x86_64",
            "openSUSE Tumbleweed:ant-scripts-1.10.12-1.1.aarch64",
            "openSUSE Tumbleweed:ant-scripts-1.10.12-1.1.ppc64le",
            "openSUSE Tumbleweed:ant-scripts-1.10.12-1.1.s390x",
            "openSUSE Tumbleweed:ant-scripts-1.10.12-1.1.x86_64",
            "openSUSE Tumbleweed:ant-swing-1.10.12-1.1.aarch64",
            "openSUSE Tumbleweed:ant-swing-1.10.12-1.1.ppc64le",
            "openSUSE Tumbleweed:ant-swing-1.10.12-1.1.s390x",
            "openSUSE Tumbleweed:ant-swing-1.10.12-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2021-36373"
    },
    {
      "cve": "CVE-2021-36374",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2021-36374"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ant-1.10.12-1.1.aarch64",
          "openSUSE Tumbleweed:ant-1.10.12-1.1.ppc64le",
          "openSUSE Tumbleweed:ant-1.10.12-1.1.s390x",
          "openSUSE Tumbleweed:ant-1.10.12-1.1.x86_64",
          "openSUSE Tumbleweed:ant-jmf-1.10.12-1.1.aarch64",
          "openSUSE Tumbleweed:ant-jmf-1.10.12-1.1.ppc64le",
          "openSUSE Tumbleweed:ant-jmf-1.10.12-1.1.s390x",
          "openSUSE Tumbleweed:ant-jmf-1.10.12-1.1.x86_64",
          "openSUSE Tumbleweed:ant-scripts-1.10.12-1.1.aarch64",
          "openSUSE Tumbleweed:ant-scripts-1.10.12-1.1.ppc64le",
          "openSUSE Tumbleweed:ant-scripts-1.10.12-1.1.s390x",
          "openSUSE Tumbleweed:ant-scripts-1.10.12-1.1.x86_64",
          "openSUSE Tumbleweed:ant-swing-1.10.12-1.1.aarch64",
          "openSUSE Tumbleweed:ant-swing-1.10.12-1.1.ppc64le",
          "openSUSE Tumbleweed:ant-swing-1.10.12-1.1.s390x",
          "openSUSE Tumbleweed:ant-swing-1.10.12-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2021-36374",
          "url": "https://www.suse.com/security/cve/CVE-2021-36374"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1188469 for CVE-2021-36374",
          "url": "https://bugzilla.suse.com/1188469"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ant-1.10.12-1.1.aarch64",
            "openSUSE Tumbleweed:ant-1.10.12-1.1.ppc64le",
            "openSUSE Tumbleweed:ant-1.10.12-1.1.s390x",
            "openSUSE Tumbleweed:ant-1.10.12-1.1.x86_64",
            "openSUSE Tumbleweed:ant-jmf-1.10.12-1.1.aarch64",
            "openSUSE Tumbleweed:ant-jmf-1.10.12-1.1.ppc64le",
            "openSUSE Tumbleweed:ant-jmf-1.10.12-1.1.s390x",
            "openSUSE Tumbleweed:ant-jmf-1.10.12-1.1.x86_64",
            "openSUSE Tumbleweed:ant-scripts-1.10.12-1.1.aarch64",
            "openSUSE Tumbleweed:ant-scripts-1.10.12-1.1.ppc64le",
            "openSUSE Tumbleweed:ant-scripts-1.10.12-1.1.s390x",
            "openSUSE Tumbleweed:ant-scripts-1.10.12-1.1.x86_64",
            "openSUSE Tumbleweed:ant-swing-1.10.12-1.1.aarch64",
            "openSUSE Tumbleweed:ant-swing-1.10.12-1.1.ppc64le",
            "openSUSE Tumbleweed:ant-swing-1.10.12-1.1.s390x",
            "openSUSE Tumbleweed:ant-swing-1.10.12-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ant-1.10.12-1.1.aarch64",
            "openSUSE Tumbleweed:ant-1.10.12-1.1.ppc64le",
            "openSUSE Tumbleweed:ant-1.10.12-1.1.s390x",
            "openSUSE Tumbleweed:ant-1.10.12-1.1.x86_64",
            "openSUSE Tumbleweed:ant-jmf-1.10.12-1.1.aarch64",
            "openSUSE Tumbleweed:ant-jmf-1.10.12-1.1.ppc64le",
            "openSUSE Tumbleweed:ant-jmf-1.10.12-1.1.s390x",
            "openSUSE Tumbleweed:ant-jmf-1.10.12-1.1.x86_64",
            "openSUSE Tumbleweed:ant-scripts-1.10.12-1.1.aarch64",
            "openSUSE Tumbleweed:ant-scripts-1.10.12-1.1.ppc64le",
            "openSUSE Tumbleweed:ant-scripts-1.10.12-1.1.s390x",
            "openSUSE Tumbleweed:ant-scripts-1.10.12-1.1.x86_64",
            "openSUSE Tumbleweed:ant-swing-1.10.12-1.1.aarch64",
            "openSUSE Tumbleweed:ant-swing-1.10.12-1.1.ppc64le",
            "openSUSE Tumbleweed:ant-swing-1.10.12-1.1.s390x",
            "openSUSE Tumbleweed:ant-swing-1.10.12-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2021-36374"
    }
  ]
}

CVE-2021-36374 (GCVE-0-2021-36374)

Vulnerability from cvelistv5 – Published: 2021-07-14 06:20 – Updated: 2024-08-04 00:54

Summary

When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.

Severity ?

No CVSS data available.

CWE

CWE-130 - Improper Handling of Length Parameter Inconsistency

Assigner

apache

References

URL

Tags

	https://ant.apache.org/security.html	x_refsource_MISC
	https://lists.apache.org/thread.html/rdd5412a5b9a…	x_refsource_MISC
	https://lists.apache.org/thread.html/r27919fd4db0…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/r544c9e84874…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/rad36f470647…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/rf4bb79751a0…	mailing-listx_refsource_MLIST
	https://www.oracle.com/security-alerts/cpuoct2021.html	x_refsource_MISC
	https://security.netapp.com/advisory/ntap-2021081…	x_refsource_CONFIRM
	https://www.oracle.com/security-alerts/cpujan2022.html	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpuapr2022.html	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpujul2022.html	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Ant	Affected: 1.4 , < Apache Ant* (custom) Affected: Apache Ant 1.9.x , ≤ 1.9.15 (custom) Affected: Apache Ant 1.10.x , ≤ 1.10.10 (custom)

Credits

This issue is similar to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36090 present in Apache Commons Compress which has been detected by OSS Fuzz.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T00:54:51.456Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ant.apache.org/security.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38%40%3Cuser.ant.apache.org%3E"
          },
          {
            "name": "[groovy-commits] 20210714 [groovy] 08/09: GROOVY-10169: Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750aa9447309b709a%40%3Ccommits.groovy.apache.org%3E"
          },
          {
            "name": "[groovy-commits] 20210715 [groovy] 02/07: GROOVY-10169: Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r544c9e8487431768465b8b2d13982c75123109bd816acf839d46010d%40%3Ccommits.groovy.apache.org%3E"
          },
          {
            "name": "[groovy-notifications] 20210715 [jira] [Resolved] (GROOVY-10169) Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rad36f470647c5a7c02dd78c9973356d2840766d132b597b6444e373a%40%3Cnotifications.groovy.apache.org%3E"
          },
          {
            "name": "[myfaces-dev] 20210830 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #1215: build: CVE fix",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rf4bb79751a02889623195715925e4fd8932dd3c97e0ade91395a96c6%40%3Cdev.myfaces.apache.org%3E"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20210819-0007/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Ant",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "Apache Ant*",
              "status": "affected",
              "version": "1.4",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "1.9.15",
              "status": "affected",
              "version": "Apache Ant 1.9.x",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "1.10.10",
              "status": "affected",
              "version": "Apache Ant 1.10.x",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "This issue is similar to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36090 present in Apache Commons Compress which has been detected by OSS Fuzz."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-130",
              "description": "CWE-130 Improper Handling of Length Parameter Inconsistency ",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-07-25T16:30:31",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://ant.apache.org/security.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38%40%3Cuser.ant.apache.org%3E"
        },
        {
          "name": "[groovy-commits] 20210714 [groovy] 08/09: GROOVY-10169: Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750aa9447309b709a%40%3Ccommits.groovy.apache.org%3E"
        },
        {
          "name": "[groovy-commits] 20210715 [groovy] 02/07: GROOVY-10169: Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r544c9e8487431768465b8b2d13982c75123109bd816acf839d46010d%40%3Ccommits.groovy.apache.org%3E"
        },
        {
          "name": "[groovy-notifications] 20210715 [jira] [Resolved] (GROOVY-10169) Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rad36f470647c5a7c02dd78c9973356d2840766d132b597b6444e373a%40%3Cnotifications.groovy.apache.org%3E"
        },
        {
          "name": "[myfaces-dev] 20210830 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #1215: build: CVE fix",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rf4bb79751a02889623195715925e4fd8932dd3c97e0ade91395a96c6%40%3Cdev.myfaces.apache.org%3E"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20210819-0007/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache Ant ZIP, and ZIP based, archive denial of service vulerability",
      "workarounds": [
        {
          "lang": "en",
          "value": "Apache Ant 1.9.x users should upgrade to 1.9.16 or later.\nApache Ant 1.10.x users should upgrade to 1.10.11 or later."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2021-36374",
          "STATE": "PUBLIC",
          "TITLE": "Apache Ant ZIP, and ZIP based, archive denial of service vulerability"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Ant",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003e=",
                            "version_name": "Apache Ant",
                            "version_value": "1.4"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_name": "Apache Ant 1.9.x",
                            "version_value": "1.9.15"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_name": "Apache Ant 1.10.x",
                            "version_value": "1.10.10"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "This issue is similar to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36090 present in Apache Commons Compress which has been detected by OSS Fuzz."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {}
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-130 Improper Handling of Length Parameter Inconsistency "
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ant.apache.org/security.html",
              "refsource": "MISC",
              "url": "https://ant.apache.org/security.html"
            },
            {
              "name": "https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38%40%3Cuser.ant.apache.org%3E",
              "refsource": "MISC",
              "url": "https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38%40%3Cuser.ant.apache.org%3E"
            },
            {
              "name": "[groovy-commits] 20210714 [groovy] 08/09: GROOVY-10169: Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750aa9447309b709a@%3Ccommits.groovy.apache.org%3E"
            },
            {
              "name": "[groovy-commits] 20210715 [groovy] 02/07: GROOVY-10169: Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r544c9e8487431768465b8b2d13982c75123109bd816acf839d46010d@%3Ccommits.groovy.apache.org%3E"
            },
            {
              "name": "[groovy-notifications] 20210715 [jira] [Resolved] (GROOVY-10169) Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rad36f470647c5a7c02dd78c9973356d2840766d132b597b6444e373a@%3Cnotifications.groovy.apache.org%3E"
            },
            {
              "name": "[myfaces-dev] 20210830 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #1215: build: CVE fix",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rf4bb79751a02889623195715925e4fd8932dd3c97e0ade91395a96c6@%3Cdev.myfaces.apache.org%3E"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20210819-0007/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20210819-0007/"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujan2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "Apache Ant 1.9.x users should upgrade to 1.9.16 or later.\nApache Ant 1.10.x users should upgrade to 1.10.11 or later."
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2021-36374",
    "datePublished": "2021-07-14T06:20:12",
    "dateReserved": "2021-07-12T00:00:00",
    "dateUpdated": "2024-08-04T00:54:51.456Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2021-36373 (GCVE-0-2021-36373)

Vulnerability from cvelistv5 – Published: 2021-07-14 06:20 – Updated: 2024-08-04 00:54

Summary

When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.

Severity ?

No CVSS data available.

CWE

CWE-130 - Improper Handling of Length Parameter Inconsistency

Assigner

apache

References

URL

Tags

	https://ant.apache.org/security.html	x_refsource_MISC
	https://lists.apache.org/thread.html/r54afdab05e0…	x_refsource_MISC
	https://lists.apache.org/thread.html/r27919fd4db0…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/r544c9e84874…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/rad36f470647…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/rf4bb79751a0…	mailing-listx_refsource_MLIST
	https://www.oracle.com/security-alerts/cpuoct2021.html	x_refsource_MISC
	https://security.netapp.com/advisory/ntap-2021081…	x_refsource_CONFIRM
	https://www.oracle.com/security-alerts/cpujan2022.html	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpuapr2022.html	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpujul2022.html	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Ant	Affected: Apache Ant 1.9.x , ≤ 1.9.15 (custom) Affected: Apache Ant 1.10.x , ≤ 1.10.10 (custom) Unaffected: Apache Ant , < 1.9.0 (custom)

Credits

This issue is similar to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35517 present in Apache Commons Compress which has been detected by OSS Fuzz.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T00:54:51.488Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ant.apache.org/security.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46%40%3Cuser.ant.apache.org%3E"
          },
          {
            "name": "[groovy-commits] 20210714 [groovy] 08/09: GROOVY-10169: Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750aa9447309b709a%40%3Ccommits.groovy.apache.org%3E"
          },
          {
            "name": "[groovy-commits] 20210715 [groovy] 02/07: GROOVY-10169: Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r544c9e8487431768465b8b2d13982c75123109bd816acf839d46010d%40%3Ccommits.groovy.apache.org%3E"
          },
          {
            "name": "[groovy-notifications] 20210715 [jira] [Resolved] (GROOVY-10169) Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rad36f470647c5a7c02dd78c9973356d2840766d132b597b6444e373a%40%3Cnotifications.groovy.apache.org%3E"
          },
          {
            "name": "[myfaces-dev] 20210830 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #1215: build: CVE fix",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rf4bb79751a02889623195715925e4fd8932dd3c97e0ade91395a96c6%40%3Cdev.myfaces.apache.org%3E"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20210819-0007/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Ant",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "changes": [
                {
                  "at": "1.9.0",
                  "status": "affected"
                }
              ],
              "lessThanOrEqual": "1.9.15",
              "status": "affected",
              "version": "Apache Ant 1.9.x",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "1.10.0",
                  "status": "affected"
                }
              ],
              "lessThanOrEqual": "1.10.10",
              "status": "affected",
              "version": "Apache Ant 1.10.x",
              "versionType": "custom"
            },
            {
              "lessThan": "1.9.0",
              "status": "unaffected",
              "version": "Apache Ant",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "This issue is similar to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35517 present in Apache Commons Compress which has been detected by OSS Fuzz."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-130",
              "description": "CWE-130 Improper Handling of Length Parameter Inconsistency ",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-07-25T16:30:21",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://ant.apache.org/security.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46%40%3Cuser.ant.apache.org%3E"
        },
        {
          "name": "[groovy-commits] 20210714 [groovy] 08/09: GROOVY-10169: Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750aa9447309b709a%40%3Ccommits.groovy.apache.org%3E"
        },
        {
          "name": "[groovy-commits] 20210715 [groovy] 02/07: GROOVY-10169: Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r544c9e8487431768465b8b2d13982c75123109bd816acf839d46010d%40%3Ccommits.groovy.apache.org%3E"
        },
        {
          "name": "[groovy-notifications] 20210715 [jira] [Resolved] (GROOVY-10169) Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rad36f470647c5a7c02dd78c9973356d2840766d132b597b6444e373a%40%3Cnotifications.groovy.apache.org%3E"
        },
        {
          "name": "[myfaces-dev] 20210830 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #1215: build: CVE fix",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rf4bb79751a02889623195715925e4fd8932dd3c97e0ade91395a96c6%40%3Cdev.myfaces.apache.org%3E"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20210819-0007/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache Ant TAR archive denial of service vulnerability",
      "workarounds": [
        {
          "lang": "en",
          "value": "Apache Ant 1.9.x users should upgrade to 1.9.16 or later.\nApache Ant 1.10.x users should upgrade to 1.10.11 or later."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2021-36373",
          "STATE": "PUBLIC",
          "TITLE": "Apache Ant TAR archive denial of service vulnerability"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Ant",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "Apache Ant 1.9.x",
                            "version_value": "1.9.15"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_name": "Apache Ant 1.10.x",
                            "version_value": "1.10.10"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_name": "Apache Ant 1.9.x",
                            "version_value": "1.9.0"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_name": "Apache Ant 1.10.x",
                            "version_value": "1.10.0"
                          },
                          {
                            "version_affected": "!\u003c",
                            "version_name": "Apache Ant",
                            "version_value": "1.9.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "This issue is similar to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35517 present in Apache Commons Compress which has been detected by OSS Fuzz."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {}
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-130 Improper Handling of Length Parameter Inconsistency "
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ant.apache.org/security.html",
              "refsource": "MISC",
              "url": "https://ant.apache.org/security.html"
            },
            {
              "name": "https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46%40%3Cuser.ant.apache.org%3E",
              "refsource": "MISC",
              "url": "https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46%40%3Cuser.ant.apache.org%3E"
            },
            {
              "name": "[groovy-commits] 20210714 [groovy] 08/09: GROOVY-10169: Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750aa9447309b709a@%3Ccommits.groovy.apache.org%3E"
            },
            {
              "name": "[groovy-commits] 20210715 [groovy] 02/07: GROOVY-10169: Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r544c9e8487431768465b8b2d13982c75123109bd816acf839d46010d@%3Ccommits.groovy.apache.org%3E"
            },
            {
              "name": "[groovy-notifications] 20210715 [jira] [Resolved] (GROOVY-10169) Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rad36f470647c5a7c02dd78c9973356d2840766d132b597b6444e373a@%3Cnotifications.groovy.apache.org%3E"
            },
            {
              "name": "[myfaces-dev] 20210830 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #1215: build: CVE fix",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rf4bb79751a02889623195715925e4fd8932dd3c97e0ade91395a96c6@%3Cdev.myfaces.apache.org%3E"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20210819-0007/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20210819-0007/"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujan2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "Apache Ant 1.9.x users should upgrade to 1.9.16 or later.\nApache Ant 1.10.x users should upgrade to 1.10.11 or later."
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2021-36373",
    "datePublished": "2021-07-14T06:20:11",
    "dateReserved": "2021-07-12T00:00:00",
    "dateUpdated": "2024-08-04T00:54:51.488Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

OPENSUSE-SU-2024:11688-1

CVE-2021-36374 (GCVE-0-2021-36374)

CVE-2021-36373 (GCVE-0-2021-36373)

Tags

Sightings

Nomenclature