CVE-2021-35516 — Improper Handling of Length Parameter Inconsistency in Compress

Description

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

How to fix CVE-2021-35516

To remediate CVE-2021-35516, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 1.21 or later

Is CVE-2021-35516 being exploited?

Low — EPSS is 1.7%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
from 0, < 1.21

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (20)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-35516
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-35516
WEBcommons.apache.org/proper/commons-compress/security-reports.html
WEBlists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b@%3Cdev.poi.apache.org%3E