CVE-2021-35517 — Improper Handling of Length Parameter Inconsistency in Compress

Description

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

How to fix CVE-2021-35517

To remediate CVE-2021-35517, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 1.21 or later

Is CVE-2021-35517 being exploited?

Low — EPSS is 1.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
from 0, < 1.21

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (24)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-35517
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-35517
WEBcommons.apache.org/proper/commons-compress/security-reports.html
WEBlists.apache.org/thread.html/r31f75743ac173b0a606f8ea6ea53f351f386c44e7bcf78ae04007c29@%3Cissues.flink.apache.org%3E