CVE-2021-36373

When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.5 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
apacheCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 36%
VendorProductVersion
apacheant
1.9.0 ≤
𝑥
< 1.9.16
apacheant
1.10.0 ≤
𝑥
< 1.10.11
oracleagile_plm
9.3.6
oraclebanking_trade_finance
14.5
oraclebanking_treasury_management
14.5
oraclecommunications_cloud_native_core_automated_test_suite
1.9.0
oraclecommunications_cloud_native_core_binding_support_function
1.11.0
oraclecommunications_order_and_service_management
7.3
oraclecommunications_order_and_service_management
7.4
oraclecommunications_unified_inventory_management
7.3.0
oraclecommunications_unified_inventory_management
7.4.0
oraclecommunications_unified_inventory_management
7.4.1
oraclecommunications_unified_inventory_management
7.4.2
oraclecommunications_unified_inventory_management
7.5.0
oracleenterprise_repository
11.1.1.7.0
oraclefinancial_services_analytical_applications_infrastructure
8.0.6 ≤
𝑥
≤ 8.1.1
oracleinsurance_policy_administration
11.0 ≤
𝑥
≤ 11.3.1
oracleprimavera_gateway
17.12.0 ≤
𝑥
≤ 17.12.11
oracleprimavera_gateway
18.8.0 ≤
𝑥
≤ 18.8.12
oracleprimavera_gateway
19.12.0 ≤
𝑥
≤ 19.12.11
oracleprimavera_gateway
20.12.0 ≤
𝑥
≤ 20.12.7
oracleprimavera_unifier
17.7 ≤
𝑥
≤ 17.12
oracleprimavera_unifier
18.8
oracleprimavera_unifier
19.12
oracleprimavera_unifier
20.12
oraclereal-time_decision_server
3.2.0.0
oraclereal-time_decision_server
11.1.1.9.0
oracleretail_advanced_inventory_planning
14.1
oracleretail_advanced_inventory_planning
15.0
oracleretail_advanced_inventory_planning
16.0
oracleretail_back_office
14.0
oracleretail_back_office
14.1
oracleretail_bulk_data_integration
16.0.3.0
oracleretail_bulk_data_integration
19.0.1
oracleretail_central_office
14.0
oracleretail_central_office
14.1
oracleretail_eftlink
19.0.1
oracleretail_eftlink
20.0.1
oracleretail_extract_transform_and_load
13.2.8
oracleretail_financial_integration
14.1.3.2
oracleretail_financial_integration
15.0.4.0
oracleretail_financial_integration
16.0.3.0
oracleretail_integration_bus
14.1.3.2
oracleretail_integration_bus
15.0.4.0
oracleretail_integration_bus
16.0.3.0
oracleretail_integration_bus
19.0.1.0
oracleretail_invoice_matching
16.0.3
oracleretail_merchandising_system
19.0.1
oracleretail_point-of-service
14.0
oracleretail_point-of-service
14.1
oracleretail_predictive_application_server
14.1.3
oracleretail_predictive_application_server
15.0.3
oracleretail_predictive_application_server
16.0.3.0
oracleretail_service_backbone
14.1.3.2
oracleretail_service_backbone
15.0.4.0
oracleretail_service_backbone
16.0.3.0
oracleretail_service_backbone
19.0.1.0
oracleretail_store_inventory_management
14.1
oracleretail_store_inventory_management
15.0
oracleretail_store_inventory_management
16.0
oracleretail_xstore_point_of_service
16.0.6
oracleretail_xstore_point_of_service
17.0.4
oracleretail_xstore_point_of_service
18.0.3
oracleretail_xstore_point_of_service
19.0.2
oracleretail_xstore_point_of_service
20.0.1
oracletimesten_in-memory_database
𝑥
< 11.2.2.8.27
oracleutilities_framework
4.3.0.1.0 ≤
𝑥
≤ 4.3.0.6.0
oracleutilities_framework
4.2.0.2.0
oracleutilities_framework
4.2.0.3.0
oracleutilities_framework
4.4.0.0.0
oracleutilities_framework
4.4.0.2.0
oracleutilities_framework
4.4.0.3.0
oracleutilities_testing_accelerator
6.0.0.1.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ant
bullseye
unimportant
bookworm
1.10.13-1
fixed
sid
1.10.15-1
fixed
trixie
1.10.15-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ant
noble
needs-triage
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needs-triage
impish
ignored
hirsute
ignored
groovy
ignored
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
needs-triage
Common Weakness Enumeration
References
https://ant.apache.org/security.html
https://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750aa9447309b709a%40%3Ccommits.groovy.apache.org%3E
https://lists.apache.org/thread.html/r544c9e8487431768465b8b2d13982c75123109bd816acf839d46010d%40%3Ccommits.groovy.apache.org%3E
https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46%40%3Cuser.ant.apache.org%3E
https://lists.apache.org/thread.html/rad36f470647c5a7c02dd78c9973356d2840766d132b597b6444e373a%40%3Cnotifications.groovy.apache.org%3E
https://lists.apache.org/thread.html/rf4bb79751a02889623195715925e4fd8932dd3c97e0ade91395a96c6%40%3Cdev.myfaces.apache.org%3E
https://security.netapp.com/advisory/ntap-20210819-0007/
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://ant.apache.org/security.html
https://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750aa9447309b709a%40%3Ccommits.groovy.apache.org%3E
https://lists.apache.org/thread.html/r544c9e8487431768465b8b2d13982c75123109bd816acf839d46010d%40%3Ccommits.groovy.apache.org%3E
https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46%40%3Cuser.ant.apache.org%3E
https://lists.apache.org/thread.html/rad36f470647c5a7c02dd78c9973356d2840766d132b597b6444e373a%40%3Cnotifications.groovy.apache.org%3E
https://lists.apache.org/thread.html/rf4bb79751a02889623195715925e4fd8932dd3c97e0ade91395a96c6%40%3Cdev.myfaces.apache.org%3E
https://security.netapp.com/advisory/ntap-20210819-0007/
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html