When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.
References
Link Providers
http://www.openwall.com/lists/oss-security/2021/07/13/3 cve-icon cve-icon cve-icon
http://www.openwall.com/lists/oss-security/2021/07/13/5 cve-icon cve-icon
https://commons.apache.org/proper/commons-compress/security-reports.html cve-icon cve-icon cve-icon
https://lists.apache.org/thread.html/r31f75743ac173b0a606f8ea6ea53f351f386c44e7bcf78ae04007c29%40%3Cissues.flink.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r457b2ed564860996b20d938566fe8bd4bfb7c37be8e205448ccb5975%40%3Cannounce.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46%40%3Cuser.ant.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r605d906b710b95f1bbe0036a53ac6968f667f2c249b6fbabada9a940%40%3Cuser.commons.apache.org%3E cve-icon cve-icon cve-icon
https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b%40%3Cdev.poi.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040%40%3Cnotifications.skywalking.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/ra393ffdc7c90a4a37ea023946f390285693795013a642d80fba20203%40%3Cannounce.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae%40%3Cnotifications.skywalking.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71%40%3Ccommits.pulsar.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c%40%3Cnotifications.skywalking.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee%40%3Cnotifications.skywalking.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a%40%3Cnotifications.skywalking.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e%40%3Cnotifications.skywalking.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742%40%3Cnotifications.skywalking.apache.org%3E cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2021-35517 cve-icon
https://security.netapp.com/advisory/ntap-20211022-0001/ cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2021-35517 cve-icon
https://www.oracle.com/security-alerts/cpuapr2022.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpujan2022.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpujul2022.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpuoct2021.html cve-icon cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2021-07-13T07:15:22

Updated: 2024-08-04T00:40:46.713Z

Reserved: 2021-06-27T00:00:00

Link: CVE-2021-35517

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2021-07-13T08:15:07.220

Modified: 2024-11-21T06:12:25.653

Link: CVE-2021-35517

cve-icon Redhat

Severity : Moderate

Publid Date: 2021-07-13T00:00:00Z

Links: CVE-2021-35517 - Bugzilla