CVE-2021-36374
low
CVSS v3
—
CVSS v2
—
VIR risk
2.5
Description
Improper Handling of Length Parameter Inconsistency in Apache Ant
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2021-36374.html
Vendor advisory: arch — https://security.archlinux.org/ASA-202107-43
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2021-36374
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | trixie | fixed | 1.10.11-1 |
| debian | forky | fixed | 1.10.11-1 |
| debian | sid | fixed | 1.10.11-1 |
| debian | bookworm | fixed | 1.10.11-1 |
| debian | bullseye | affected | |
| arch | fixed | 1.10.11-1 | |
| sles | affected | |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | org.apache.ant:ant | >=1.9.0,<1.9.16 | 1.9.16 |
| Maven | org.apache.ant:ant | >=1.10.0,<1.10.11 | 1.10.11 |
References
- https://security-tracker.debian.org/tracker/CVE-2021-36374
- https://security.archlinux.org/ASA-202107-43
- https://www.suse.com/security/cve/CVE-2021-36374.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-36374
- https://ant.apache.org/security.html
- https://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750aa9447309b709a@%3Ccommits.groovy.apache.org%3E
- https://lists.apache.org/thread.html/r544c9e8487431768465b8b2d13982c75123109bd816acf839d46010d@%3Ccommits.groovy.apache.org%3E
- https://lists.apache.org/thread.html/rad36f470647c5a7c02dd78c9973356d2840766d132b597b6444e373a@%3Cnotifications.groovy.apache.org%3E
- https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38%40%3Cuser.ant.apache.org%3E
- https://lists.apache.org/thread.html/rf4bb79751a02889623195715925e4fd8932dd3c97e0ade91395a96c6@%3Cdev.myfaces.apache.org%3E
- https://security.netapp.com/advisory/ntap-20210819-0007
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
Verify integrity in audit chain (admin only). AS-IS.