CVE-2021-36090 — Improper Handling of Length Parameter Inconsistency in Compress

Description

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

How to fix CVE-2021-36090

To remediate CVE-2021-36090, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 1.21 or later

Is CVE-2021-36090 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
from 0, < 1.21

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (36)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-36090
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-36090
WEBcommons.apache.org/proper/commons-compress/security-reports.html
WEBlists.apache.org/thread.html/r0e87177f8e78b4ee453cd4d3d8f4ddec6f10d2c27707dd71e12cafc9@%3Cannounce.apache.org%3E