CVE-2021-35940

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-35940
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-35940.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-35940
Aliases
Related
Published
2021-08-23T10:15:07Z
Modified
2024-09-18T03:15:21.952523Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVSS Calculator
Summary
[none]
Details

An out-of-bounds array read in the aprtimeexp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue.

References

Affected packages

Alpine:v3.14 / apr

Package

Name
apr
Purl
pkg:apk/alpine/apr?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.7.0-r1

Affected versions

1.*

1.3.3-r0
1.3.5-r0
1.3.7-r0
1.3.8-r0
1.3.9-r0
1.4.2-r0
1.4.2-r1
1.4.2-r2
1.4.2-r3
1.4.2-r4
1.4.4-r0
1.4.5-r0
1.4.5-r1
1.4.5-r2
1.4.5-r3
1.4.6-r0
1.4.8-r0
1.4.8-r1
1.5.0-r0
1.5.1-r0
1.5.2-r0
1.5.2-r1
1.6.3-r0
1.6.3-r1
1.6.5-r0
1.7.0-r0

Alpine:v3.15 / apr

Package

Name
apr
Purl
pkg:apk/alpine/apr?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.7.0-r1

Affected versions

1.*

1.3.3-r0
1.3.5-r0
1.3.7-r0
1.3.8-r0
1.3.9-r0
1.4.2-r0
1.4.2-r1
1.4.2-r2
1.4.2-r3
1.4.2-r4
1.4.4-r0
1.4.5-r0
1.4.5-r1
1.4.5-r2
1.4.5-r3
1.4.6-r0
1.4.8-r0
1.4.8-r1
1.5.0-r0
1.5.1-r0
1.5.2-r0
1.5.2-r1
1.6.3-r0
1.6.3-r1
1.6.5-r0
1.7.0-r0

Alpine:v3.16 / apr

Package

Name
apr
Purl
pkg:apk/alpine/apr?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.7.0-r2

Affected versions

1.*

1.3.3-r0
1.3.5-r0
1.3.7-r0
1.3.8-r0
1.3.9-r0
1.4.2-r0
1.4.2-r1
1.4.2-r2
1.4.2-r3
1.4.2-r4
1.4.4-r0
1.4.5-r0
1.4.5-r1
1.4.5-r2
1.4.5-r3
1.4.6-r0
1.4.8-r0
1.4.8-r1
1.5.0-r0
1.5.1-r0
1.5.2-r0
1.5.2-r1
1.6.3-r0
1.6.3-r1
1.6.5-r0
1.7.0-r0
1.7.0-r1

Alpine:v3.17 / apr

Package

Name
apr
Purl
pkg:apk/alpine/apr?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.7.0-r2

Affected versions

1.*

1.3.3-r0
1.3.5-r0
1.3.7-r0
1.3.8-r0
1.3.9-r0
1.4.2-r0
1.4.2-r1
1.4.2-r2
1.4.2-r3
1.4.2-r4
1.4.4-r0
1.4.5-r0
1.4.5-r1
1.4.5-r2
1.4.5-r3
1.4.6-r0
1.4.8-r0
1.4.8-r1
1.5.0-r0
1.5.1-r0
1.5.2-r0
1.5.2-r1
1.6.3-r0
1.6.3-r1
1.6.5-r0
1.7.0-r0
1.7.0-r1

Alpine:v3.18 / apr

Package

Name
apr
Purl
pkg:apk/alpine/apr?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.7.0-r2

Affected versions

1.*

1.3.3-r0
1.3.5-r0
1.3.7-r0
1.3.8-r0
1.3.9-r0
1.4.2-r0
1.4.2-r1
1.4.2-r2
1.4.2-r3
1.4.2-r4
1.4.4-r0
1.4.5-r0
1.4.5-r1
1.4.5-r2
1.4.5-r3
1.4.6-r0
1.4.8-r0
1.4.8-r1
1.5.0-r0
1.5.1-r0
1.5.2-r0
1.5.2-r1
1.6.3-r0
1.6.3-r1
1.6.5-r0
1.7.0-r0
1.7.0-r1

Alpine:v3.19 / apr

Package

Name
apr
Purl
pkg:apk/alpine/apr?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.7.0-r2

Affected versions

1.*

1.3.3-r0
1.3.5-r0
1.3.7-r0
1.3.8-r0
1.3.9-r0
1.4.2-r0
1.4.2-r1
1.4.2-r2
1.4.2-r3
1.4.2-r4
1.4.4-r0
1.4.5-r0
1.4.5-r1
1.4.5-r2
1.4.5-r3
1.4.6-r0
1.4.8-r0
1.4.8-r1
1.5.0-r0
1.5.1-r0
1.5.2-r0
1.5.2-r1
1.6.3-r0
1.6.3-r1
1.6.5-r0
1.7.0-r0
1.7.0-r1

Alpine:v3.20 / apr

Package

Name
apr
Purl
pkg:apk/alpine/apr?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.7.0-r2

Affected versions

1.*

1.3.3-r0
1.3.5-r0
1.3.7-r0
1.3.8-r0
1.3.9-r0
1.4.2-r0
1.4.2-r1
1.4.2-r2
1.4.2-r3
1.4.2-r4
1.4.4-r0
1.4.5-r0
1.4.5-r1
1.4.5-r2
1.4.5-r3
1.4.6-r0
1.4.8-r0
1.4.8-r1
1.5.0-r0
1.5.1-r0
1.5.2-r0
1.5.2-r1
1.6.3-r0
1.6.3-r1
1.6.5-r0
1.7.0-r0
1.7.0-r1

Alpine:v3.13 / apr

Package

Name
apr
Purl
pkg:apk/alpine/apr?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.7.0-r1

Affected versions

1.*

1.3.3-r0
1.3.5-r0
1.3.7-r0
1.3.8-r0
1.3.9-r0
1.4.2-r0
1.4.2-r1
1.4.2-r2
1.4.2-r3
1.4.2-r4
1.4.4-r0
1.4.5-r0
1.4.5-r1
1.4.5-r2
1.4.5-r3
1.4.6-r0
1.4.8-r0
1.4.8-r1
1.5.0-r0
1.5.1-r0
1.5.2-r0
1.5.2-r1
1.6.3-r0
1.6.3-r1
1.6.5-r0
1.7.0-r0

Debian:11 / apr

Package

Name
apr
Purl
pkg:deb/debian/apr?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.7.0-6+deb11u1

Affected versions

1.*

1.7.0-6

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / apr

Package

Name
apr
Purl
pkg:deb/debian/apr?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.7.0-7

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / apr

Package

Name
apr
Purl
pkg:deb/debian/apr?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.7.0-7

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/apache/apr

Affected ranges

Type
GIT
Repo
https://github.com/apache/apr
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected