High severityNVD Advisory· Published Jul 13, 2021· Updated Aug 4, 2024
Apache Commons Compress 1.0 to 1.20 denial of service vulnerability
CVE-2021-36090
Description
When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A specially crafted ZIP archive triggers excessive memory allocation in Apache Commons Compress (1.0–1.20) and Apache Ant, causing denial of service.
Vulnerability
An out-of-memory vulnerability exists in the Apache Commons Compress library (versions 1.0 to 1.20) and in Apache Ant (1.9.x before 1.9.16, 1.10.x before 1.10.11). When reading a specially crafted ZIP archive (or derived formats such as JAR files or office documents), the parser can be made to allocate large amounts of memory, leading to an OutOfMemoryError even for very small input files [1] [2] [3].
Exploitation
The attacker needs only the ability to supply a malicious ZIP archive to an application that uses Compress's ZIP package or Apache Ant's ZIP-based archive handling. No authentication or special privileges are required; the attack can be launched by uploading or including a crafted archive. The vulnerability is triggered automatically when the file is read or processed [1] [3].
Impact
Successful exploitation results in a denial of service (DoS) condition. The affected application (service, build process, etc.) exhausts available memory, causing it to crash or become unresponsive. The impact is limited to availability; no data confidentiality or integrity is compromised [1] [2].
Mitigation
Upgrade to a fixed version: Apache Commons Compress 1.21 or later [3]; Apache Ant 1.9.16 or later, or 1.10.11 or later [2]. No workarounds are provided in the available references [1] [2] [3].
References
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.commons:commons-compressMaven | < 1.21 | 1.21 |
Affected products
7- ghsa-coords6 versionspkg:maven/org.apache.commons/commons-compresspkg:rpm/opensuse/apache-commons-compress&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/apache-commons-compress&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/apache-commons-compress&distro=openSUSE%20Tumbleweedpkg:rpm/suse/apache-commons-compress&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP2pkg:rpm/suse/apache-commons-compress&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3
< 1.21+ 5 more
- (no CPE)range: < 1.21
- (no CPE)range: < 1.21-lp152.2.3.1
- (no CPE)range: < 1.21-3.3.1
- (no CPE)range: < 1.21-1.2
- (no CPE)range: < 1.21-3.3.1
- (no CPE)range: < 1.21-3.3.1
- Apache Software Foundation/Apache Commons Compressv5Range: Apache Commons Compress
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
62- github.com/advisories/GHSA-mc84-pj99-q6hhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-36090ghsaADVISORY
- www.openwall.com/lists/oss-security/2021/07/13/4ghsamailing-listx_refsource_MLISTWEB
- www.openwall.com/lists/oss-security/2021/07/13/6ghsamailing-listx_refsource_MLISTWEB
- commons.apache.org/proper/commons-compress/security-reports.htmlghsax_refsource_MISCWEB
- lists.apache.org/thread.html/r0e87177f8e78b4ee453cd4d3d8f4ddec6f10d2c27707dd71e12cafc9%40%3Cannounce.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r0e87177f8e78b4ee453cd4d3d8f4ddec6f10d2c27707dd71e12cafc9@%3Cannounce.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r25f4c44616045085bc3cf901bb7e68e445eee53d1966fc08998fc456%40%3Cdev.drill.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r25f4c44616045085bc3cf901bb7e68e445eee53d1966fc08998fc456@%3Cdev.drill.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r3227b1287e5bd8db6523b862c22676b046ad8f4fc96433225f46a2bd%40%3Cissues.drill.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r3227b1287e5bd8db6523b862c22676b046ad8f4fc96433225f46a2bd@%3Cissues.drill.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r4f03c5de923e3f2a8c316248681258125140514ef3307bfe1538e1ab%40%3Cdev.drill.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r4f03c5de923e3f2a8c316248681258125140514ef3307bfe1538e1ab@%3Cdev.drill.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r54049b66afbca766b6763c7531e9fe7a20293a112bcb65462a134949%40%3Ccommits.drill.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r54049b66afbca766b6763c7531e9fe7a20293a112bcb65462a134949@%3Ccommits.drill.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b%40%3Cdev.poi.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b@%3Cdev.poi.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r75ffc7a461e7e7ae77690fa75bd47bb71365c732e0fbcc44da4f8ff5%40%3Cdev.tomcat.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r75ffc7a461e7e7ae77690fa75bd47bb71365c732e0fbcc44da4f8ff5@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r9a23d4dbf4e34d498664080bff59f2893b855eb16dae33e4aa92fa53%40%3Cannounce.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r9a23d4dbf4e34d498664080bff59f2893b855eb16dae33e4aa92fa53@%3Cannounce.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040%40%3Cnotifications.skywalking.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040@%3Cnotifications.skywalking.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rab292091eadd1ecc63c516e9541a7f241091cf2e652b8185a6059945%40%3Ccommits.druid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rab292091eadd1ecc63c516e9541a7f241091cf2e652b8185a6059945@%3Ccommits.druid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae%40%3Cnotifications.skywalking.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae@%3Cnotifications.skywalking.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71%40%3Ccommits.pulsar.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71@%3Ccommits.pulsar.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rb5fa2ee61828fa2e42361b58468717e84902dd71c4aea8dc0b865df7%40%3Cnotifications.james.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rb5fa2ee61828fa2e42361b58468717e84902dd71c4aea8dc0b865df7@%3Cnotifications.james.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c%40%3Cnotifications.skywalking.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c@%3Cnotifications.skywalking.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee%40%3Cnotifications.skywalking.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee@%3Cnotifications.skywalking.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a%40%3Cnotifications.skywalking.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a@%3Cnotifications.skywalking.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rbbf42642c3e4167788a7c13763d192ee049604d099681f765385d99d%40%3Cdev.drill.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rbbf42642c3e4167788a7c13763d192ee049604d099681f765385d99d@%3Cdev.drill.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rbe91c512c5385181149ab087b6c909825d34299f5c491c6482a2ed57%40%3Ccommits.druid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rbe91c512c5385181149ab087b6c909825d34299f5c491c6482a2ed57@%3Ccommits.druid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rc4134026d7d7b053d4f9f2205531122732405012c8804fd850a9b26f%40%3Cuser.commons.apache.org%3Eghsax_refsource_MISCWEB
- lists.apache.org/thread.html/rc7df4c2f0bbe2028a1498a46d322c91184f7a369e3e4c57d9518cacf%40%3Cdev.drill.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rc7df4c2f0bbe2028a1498a46d322c91184f7a369e3e4c57d9518cacf@%3Cdev.drill.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e%40%3Cnotifications.skywalking.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e@%3Cnotifications.skywalking.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38%40%3Cuser.ant.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38@%3Cuser.ant.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rf2f4d7940371a7c7c5b679f50e28fc7fcc82cd00670ced87e013ac88%40%3Ccommits.druid.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rf2f4d7940371a7c7c5b679f50e28fc7fcc82cd00670ced87e013ac88@%3Ccommits.druid.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rf3f0a09fee197168a813966c5816157f6c600a47313a0d6813148ea6%40%3Cissues.drill.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rf3f0a09fee197168a813966c5816157f6c600a47313a0d6813148ea6@%3Cissues.drill.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rf93b6bb267580e01deb7f3696f7eaca00a290c66189a658cf7230a1a%40%3Cissues.drill.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rf93b6bb267580e01deb7f3696f7eaca00a290c66189a658cf7230a1a@%3Cissues.drill.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742%40%3Cnotifications.skywalking.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742@%3Cnotifications.skywalking.apache.org%3EghsaWEB
- security.netapp.com/advisory/ntap-20211022-0001ghsaWEB
- security.netapp.com/advisory/ntap-20211022-0001/mitrex_refsource_CONFIRM
- www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.