CVE-2021-36374

CVE-2021-36374: Apache Ant ZIP, and ZIP based, archive denial of service vulerability

Vendor Apache Software Foundation

Product Apache Ant

Weakness CWE-130

Published July 14, 2021

Last update August 4, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.

Key dates

Disclosure timeline

July 14, 2021 CVE published

August 4, 2024 Record updated

Identifiers

CVE CVE-2021-36374

CWE CWE-130

Affected versions

Vendor Apache Software Foundation

Product Apache Ant

Affected ≥ 1.4 and < Apache Ant*

Vendor Apache Software Foundation

Product Apache Ant

Affected ≥ Apache Ant 1.9.x and ≤ 1.9.15

Vendor Apache Software Foundation

Product Apache Ant

Affected ≥ Apache Ant 1.10.x and ≤ 1.10.10