Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Local
0

CVE-2021-36373

Disclosure Date: July 14, 2021
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
5.5 Medium
Impact Score:
3.6
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Unchanged
Confidentiality (C):
None
Integrity (I):
None
Availability (A):
High

General Information

Vendors

  • apache,
  • oracle

Products

  • agile plm 9.3.6,
  • ant,
  • banking trade finance 14.5,
  • banking treasury management 14.5,
  • communications cloud native core automated test suite 1.9.0,
  • communications cloud native core binding support function 1.11.0,
  • communications order and service management 7.3,
  • communications order and service management 7.4,
  • communications unified inventory management 7.3.0,
  • communications unified inventory management 7.4.0,
  • communications unified inventory management 7.4.1,
  • communications unified inventory management 7.4.2,
  • communications unified inventory management 7.5.0,
  • enterprise repository 11.1.1.7.0,
  • financial services analytical applications infrastructure,
  • insurance policy administration,
  • primavera gateway,
  • primavera unifier,
  • primavera unifier 18.8,
  • primavera unifier 19.12,
  • primavera unifier 20.12,
  • real-time decision server 11.1.1.9.0,
  • real-time decision server 3.2.0.0,
  • retail advanced inventory planning 14.1,
  • retail advanced inventory planning 15.0,
  • retail advanced inventory planning 16.0,
  • retail back office 14.0,
  • retail back office 14.1,
  • retail bulk data integration 16.0.3.0,
  • retail bulk data integration 19.0.1,
  • retail central office 14.0,
  • retail central office 14.1,
  • retail eftlink 19.0.1,
  • retail eftlink 20.0.1,
  • retail extract transform and load 13.2.8,
  • retail financial integration 14.1.3.2,
  • retail financial integration 15.0.4.0,
  • retail financial integration 16.0.3.0,
  • retail integration bus 14.1.3.2,
  • retail integration bus 15.0.4.0,
  • retail integration bus 16.0.3.0,
  • retail integration bus 19.0.1.0,
  • retail invoice matching 16.0.3,
  • retail merchandising system 19.0.1,
  • retail point-of-service 14.0,
  • retail point-of-service 14.1,
  • retail predictive application server 14.1.3,
  • retail predictive application server 15.0.3,
  • retail predictive application server 16.0.3.0,
  • retail service backbone 14.1.3.2,
  • retail service backbone 15.0.4.0,
  • retail service backbone 16.0.3.0,
  • retail service backbone 19.0.1.0,
  • retail store inventory management 14.1,
  • retail store inventory management 15.0,
  • retail store inventory management 16.0,
  • retail xstore point of service 16.0.6,
  • retail xstore point of service 17.0.4,
  • retail xstore point of service 18.0.3,
  • retail xstore point of service 19.0.2,
  • retail xstore point of service 20.0.1,
  • timesten in-memory database,
  • utilities framework,
  • utilities framework 4.2.0.2.0,
  • utilities framework 4.2.0.3.0,
  • utilities framework 4.4.0.0.0,
  • utilities framework 4.4.0.2.0,
  • utilities framework 4.4.0.3.0,
  • utilities testing accelerator 6.0.0.1.1

References

Additional Info

Technical Analysis