CVE-2021-35515 - Denial of Service

Severity: Low2021-08-25

Security Advisories

Abstract

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress sevenz package.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen XML Editor 23.1 and older versionsLowOxygen XML Editor 23.1 build 2021082307
Oxygen XML Developer 23.1 and older versionsLowOxygen XML Developer 23.1 build 2021082307
Oxygen XML Author 23.1 and older versionsLowOxygen XML Author 23.1 build 2021082307
Oxygen Content Fusion v4.1 and olderLowOxygen Content Fusion 4.1.2 build 2021112414

Mitigation

None

Detail

CVE-2021-35515

Severity: High

CVSS Score: 7.5

The Apache Commons Compress package used by Oxygen XML software products is an affected version mentioned in
CVE-2021-35515 vulnerability description.

Starting with version 23.1 build 2021082307, the Apache Commons Compress package was updated to version 1.21, which includes a fix for this vulnerability.

Revision History

2021-12-07 Starting with Oxygen Content Fusion version 4.1 build ...., the Apache Commons Compress package was updated to version 1.21, which includes a fix for this vulnerability.

List of Security Advisories