CVE-2021-36374
- Source
- https://cve.org/CVERecord?id=CVE-2021-36374
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-36374.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-36374
- Aliases
- Downstream
- Related
- Published
- 2021-07-14T07:15:08.400Z
- Modified
- 2026-02-14T00:50:41.655675Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.
- References
-
- https://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750aa9447309b709a%40%3Ccommits.groovy.apache.org%3E
- https://lists.apache.org/thread.html/r544c9e8487431768465b8b2d13982c75123109bd816acf839d46010d%40%3Ccommits.groovy.apache.org%3E
- https://lists.apache.org/thread.html/rad36f470647c5a7c02dd78c9973356d2840766d132b597b6444e373a%40%3Cnotifications.groovy.apache.org%3E
- https://lists.apache.org/thread.html/rf4bb79751a02889623195715925e4fd8932dd3c97e0ade91395a96c6%40%3Cdev.myfaces.apache.org%3E
- https://ant.apache.org/security.html
- https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38%40%3Cuser.ant.apache.org%3E
- https://security.netapp.com/advisory/ntap-20210819-0007/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://ant.apache.org/security.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38%40%3Cuser.ant.apache.org%3E
Affected packages
Git / github.com/apache/ant
Affected versions
ANT_1.*
ANT_1.10.0_RC1
ANT_1.10.1_RC1
ANT_1.10.2_RC1
ANT_1.10.3_RC2
ANT_1.10.4_RC1
ANT_1.10.5_RC1
ANT_1.10.6_RC1
ANT_1.10.6_RC2
ANT_1.10.7_RC1
ANT_1.10.8_RC1
ANT_1.10.9_RC1
ANT_1.9.15_RC1
Other
ANT_1914_RC1
ANT_198_RC1
ANT_199_RC1
ANT_1_9_10_RC1
ANT_1_9_11_RC1
ANT_1_9_12_RC1
rel/1.*
rel/1.10.0
rel/1.10.1
rel/1.10.2
rel/1.10.3
rel/1.10.4
rel/1.10.5
rel/1.10.6
rel/1.10.7
rel/1.10.8
rel/1.10.9
rel/1.9.10
rel/1.9.11
rel/1.9.12
rel/1.9.14
rel/1.9.15
rel/1.9.8
rel/1.9.9