You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Stefan Bodewig <bo...@apache.org> on 2021/07/13 04:00:47 UTC
CVE-2021-35515: Apache Commons Compress 1.6 to 1.20 denial of
service vulnerability
Severity: low
Description:
When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
Mitigation:
Commons Compress users should upgrade to 1.21 or later.
Credit:
This issue was discovered by OSS Fuzz.
References:
https://commons.apache.org/proper/commons-compress/security-reports.html