Miggo Logo

CVE-2021-35517: Improper Handling of Length Parameter Inconsistency in Compress

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.54029%
Published
8/2/2021
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.commons:commons-compressmaven< 1.211.21

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is related to the handling of TAR archives in the Apache Commons Compress library. The TarArchiveInputStream class is responsible for reading TAR archives and is likely where the vulnerability exists. The patch evidence suggests that the fix involves changing how the size of TAR entries is handled, pointing to the read method as a key location for the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W**n r***in* * sp**i*lly *r**t** T*R *r**iv*, *ompr*ss **n ** m*** to *llo**t* l*r** *mounts o* m*mory t**t *in*lly l***s to *n out o* m*mory *rror *v*n *or v*ry sm*ll inputs. T*is *oul* ** us** to mount * **ni*l o* s*rvi** *tt**k ***inst s*rvi**s t*

Reasoning

T** vuln*r**ility is r*l*t** to t** **n*lin* o* T*R *r**iv*s in t** *p**** *ommons *ompr*ss li*r*ry. T** `T*r*r**iv*InputStr**m` *l*ss is r*sponsi*l* *or r***in* T*R *r**iv*s *n* is lik*ly w**r* t** vuln*r**ility *xists. T** p*t** *vi**n** su***sts t