CVE-2021-36090 - Denial of Service

Severity: Medium2021-08-25

Security Advisories

Abstract

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen XML Editor 23.1 and older versionsMediumOxygen XML Editor 23.1 build 2021082307
Oxygen XML Developer 23.1 and older versionsMediumOxygen XML Developer 23.1 build 2021082307
Oxygen XML Author 23.1 and older versionsMediumOxygen XML Author 23.1 build 2021082307
Oxygen Content Fusion v4.1 and olderLowOxygen Content Fusion 4.1.2 build 2021112414

Mitigation

None

Detail

CVE-2021-36090

Severity: High

CVSS Score: 7.5

The Apache Commons Compress package used by Oxygen XML software products is an affected version mentioned in
CVE-2021-36090 vulnerability description.

Starting with version 23.1 build 2021082307, the Apache Commons Compress package was updated to version 1.21, which includes a fix for this vulnerability.

Revision History

2021-12-07 Starting with Oxygen Content Fusion version 4.1 build ...., the Apache Commons Compress package was updated to version 1.21, which includes a fix for this vulnerability.

List of Security Advisories