CVE-2021-36374

Severity

55%

Complexity

18%

Confidentiality

60%

When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.

CVSS 3.1 Base Score 5.5. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H).

CVSS 2.0 Base Score 4.3. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P).

Overview

Type

Oracle

First reported 3 years ago

2021-07-14 07:15:00

Last updated 3 years ago

2021-12-10 02:12:00

Affected Software

Oracle Enterprise Repository 11.1.1.7.0

11.1.1.7.0

Oracle Primavera Unifier 18.8

18.8

Oracle Retail Back Office 14.0

14.0

Oracle Retail Back Office 14.1

14.1

Oracle Retail Central Office 14.0

14.0

Oracle Retail Central Office 14.1

14.1

Oracle Retail Point-of-service 14.0

14.0

Oracle Retail Point-of-service 14.1

14.1

Oracle Retail Store Inventory Management 14.1

14.1

Oracle Retail Store Inventory Management 15.0

15.0

Oracle Retail Store Inventory Management 16.0

16.0

Oracle Utilities Framework 4.2.0.2.0

4.2.0.2.0

Oracle Utilities Framework 4.2.0.3.0

4.2.0.3.0

Oracle Utilities Framework 4.4.0.0.0

4.4.0.0.0

References

https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38%40%3Cuser.ant.apache.org%3E

https://ant.apache.org/security.html

[groovy-commits] 20210714 [groovy] 08/09: GROOVY-10169: Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)

https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38%40%3Cuser.ant.apache.org%3E

Mailing List, Vendor Advisory

https://ant.apache.org/security.html

Patch, Vendor Advisory

[groovy-commits] 20210714 [groovy] 08/09: GROOVY-10169: Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)

Mailing List, Vendor Advisory

[groovy-commits] 20210715 [groovy] 02/07: GROOVY-10169: Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)

Mailing List, Vendor Advisory

[groovy-notifications] 20210715 [jira] [Resolved] (GROOVY-10169) Bump Ant version to 1.10.11 (incorporates CVE-2021-36373 and CVE-2021-36374)

Mailing List, Vendor Advisory

https://security.netapp.com/advisory/ntap-20210819-0007/

[myfaces-dev] 20210830 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #1215: build: CVE fix

https://security.netapp.com/advisory/ntap-20210819-0007/

Third Party Advisory

[myfaces-dev] 20210830 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #1215: build: CVE fix

Mailing List, Vendor Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

https://www.oracle.com/security-alerts/cpuoct2021.html

Patch, Third Party Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.