Lucene search

[email protected]NVD:CVE-2021-37137

HistoryOct 19, 2021 - 3:15 p.m.

CVE-2021-37137

2021-10-1915:15:07

CWE-400

[email protected]

web.nvd.nist.gov

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.007 Low

EPSS

Percentile

80.1%

JSON

The Snappy frame decoder function doesn’t restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.

Affected configurations

NVD

Node

nettynettyRange<4.1.68

Node

oraclebanking_apisRange18.1–18.3

oraclebanking_apisMatch19.1

oraclebanking_apisMatch19.2

oraclebanking_apisMatch20.1

oraclebanking_apisMatch21.1

oraclebanking_digital_experienceMatch18.1

oraclebanking_digital_experienceMatch18.2

oraclebanking_digital_experienceMatch18.3

oraclebanking_digital_experienceMatch19.1

oraclebanking_digital_experienceMatch19.2

oraclebanking_digital_experienceMatch20.1

oraclebanking_digital_experienceMatch21.1

oraclecommerce_guided_searchMatch11.3.2

oraclecommunications_brm_-_elastic_charging_engineRange<12.0.0.4.6

oraclecommunications_brm_-_elastic_charging_engineMatch12.0.0.5.0

oraclecommunications_cloud_native_core_binding_support_functionMatch1.10.0

oraclecommunications_diameter_signaling_routerRange8.0.0.0–8.5.0.2

oraclepeoplesoft_enterprise_peopletoolsMatch8.57

oraclepeoplesoft_enterprise_peopletoolsMatch8.58

oraclepeoplesoft_enterprise_peopletoolsMatch8.59

oraclewebcenter_portalMatch12.2.1.3.0

oraclewebcenter_portalMatch12.2.1.4.0

Node

quarkusquarkusRange<2.2.4

Node

netapponcommand_insightMatch-

Node

debiandebian_linuxMatch10.0

debiandebian_linuxMatch11.0

References

github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363

lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d%40%3Ccommits.druid.apache.org%3E

lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb%40%3Ccommits.druid.apache.org%3E

lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04%40%3Ccommits.druid.apache.org%3E

lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E

lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16%40%3Ccommits.druid.apache.org%3E

lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e%40%3Cdev.tinkerpop.apache.org%3E

lists.debian.org/debian-lts-announce/2023/01/msg00008.html

security.netapp.com/advisory/ntap-20220210-0012/

www.debian.org/security/2023/dsa-5316

www.oracle.com/security-alerts/cpuapr2022.html

www.oracle.com/security-alerts/cpujan2022.html

www.oracle.com/security-alerts/cpujul2022.html

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.007 Low

EPSS

Percentile

80.1%

JSON

Related for NVD:CVE-2021-37137

veracode1 prion1 ubuntucve1 github1 cvelist1 osv6 redhatcve1 cve1 debiancve1 ibm23 redhat21 nessus11 debian2 openvas4 suse1 rocky1 ubuntu1 oracle4