{"id":"CVE-2021-36374","details":"When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.","aliases":["GHSA-5v34-g2px-j4fw"],"modified":"2026-04-10T04:35:31.177016Z","published":"2021-07-14T07:15:08.400Z","related":["SUSE-SU-2022:1417-1","SUSE-SU-2022:1418-1","openSUSE-SU-2024:11688-1"],"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/rad36f470647c5a7c02dd78c9973356d2840766d132b597b6444e373a%40%3Cnotifications.groovy.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rf4bb79751a02889623195715925e4fd8932dd3c97e0ade91395a96c6%40%3Cdev.myfaces.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750aa9447309b709a%40%3Ccommits.groovy.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r544c9e8487431768465b8b2d13982c75123109bd816acf839d46010d%40%3Ccommits.groovy.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38%40%3Cuser.ant.apache.org%3E"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210819-0007/"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"FIX","url":"https://ant.apache.org/security.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/ant","events":[{"introduced":"b47c505fa7563e9b0ea1e4667ae8f2f7aed3b007"},{"fixed":"ea698c4543e319b05761a0fcba0c7e9f6cae3b96"},{"introduced":"451364131fb89af099496ee27703c1a5c408d1f2"},{"fixed":"01ce0c3b1e9cceff735ba542722c9a1de4502b36"},{"introduced":"0"},{"last_affected":"b47c505fa7563e9b0ea1e4667ae8f2f7aed3b007"},{"introduced":"0"},{"last_affected":"ba9786dbe557e4a12f91a597cc26638b29c93b9f"},{"introduced":"0"},{"last_affected":"ba9786dbe557e4a12f91a597cc26638b29c93b9f"},{"introduced":"0"},{"last_affected":"ba9786dbe557e4a12f91a597cc26638b29c93b9f"},{"introduced":"0"},{"last_affected":"ba9786dbe557e4a12f91a597cc26638b29c93b9f"},{"introduced":"0"},{"last_affected":"ba9786dbe557e4a12f91a597cc26638b29c93b9f"}],"database_specific":{"versions":[{"introduced":"1.9.0"},{"fixed":"1.9.16"},{"introduced":"1.10.0"},{"fixed":"1.10.11"},{"introduced":"0"},{"last_affected":"1.9.0"},{"introduced":"0"},{"last_affected":"14.1"},{"introduced":"0"},{"last_affected":"14.1"},{"introduced":"0"},{"last_affected":"14.1"},{"introduced":"0"},{"last_affected":"14.1"},{"introduced":"0"},{"last_affected":"14.1"}]}}],"versions":["ANT_1.10.6_RC1","ANT_14_B1","ANT_190","rel/1.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-36374.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"6.2.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.3.6"}]},{"events":[{"introduced":"0"},{"last_affected":"14.5"}]},{"events":[{"introduced":"0"},{"last_affected":"14.5"}]},{"events":[{"introduced":"0"},{"last_affected":"1.11.0"}]},{"events":[{"introduced":"8.0.0"},{"last_affected":"8.1.0"}]},{"events":[{"introduced":"8.2.0"},{"last_affected":"8.2.3"}]},{"events":[{"introduced":"0"},{"last_affected":"7.3"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4"}]},{"events":[{"introduced":"0"},{"last_affected":"7.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4.1"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4.2"}]},{"events":[{"introduced":"0"},{"last_affected":"7.5.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.1.7.0"}]},{"events":[{"introduced":"8.0.6"},{"last_affected":"8.1.1"}]},{"events":[{"introduced":"3.0.1"},{"last_affected":"3.0.5"}]},{"events":[{"introduced":"0"},{"last_affected":"3.0.0.1"}]},{"events":[{"introduced":"11.0"},{"last_affected":"11.3.1"}]},{"events":[{"introduced":"17.12.0"},{"last_affected":"17.12.11"}]},{"events":[{"introduced":"18.8.0"},{"last_affected":"18.8.12"}]},{"events":[{"introduced":"19.12.0"},{"last_affected":"19.12.11"}]},{"events":[{"introduced":"20.12.0"},{"last_affected":"20.12.7"}]},{"events":[{"introduced":"17.7"},{"last_affected":"17.12"}]},{"events":[{"introduced":"0"},{"last_affected":"18.8"}]},{"events":[{"introduced":"0"},{"last_affected":"19.12"}]},{"events":[{"introduced":"0"},{"last_affected":"20.12"}]},{"events":[{"introduced":"0"},{"last_affected":"3.6.1"}]},{"events":[{"introduced":"0"},{"last_affected":"3.2.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.1.1.9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"19.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"14.0"}]},{"events":[{"introduced":"0"},{"last_affected":"19.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"20.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"13.2.8"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.3.2"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.3.2"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"19.0.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"19.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"14.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.3"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.3.2"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"19.0.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0.6"}]},{"events":[{"introduced":"0"},{"last_affected":"17.0.4"}]},{"events":[{"introduced":"0"},{"last_affected":"18.0.3"}]},{"events":[{"introduced":"0"},{"last_affected":"19.0.2"}]},{"events":[{"introduced":"0"},{"last_affected":"20.0.1"}]},{"events":[{"introduced":"0"},{"fixed":"11.2.2.8.27"}]},{"events":[{"introduced":"4.3.0.1.0"},{"last_affected":"4.3.0.6.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.2.0.2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.2.0.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.4.0.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.4.0.2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.4.0.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0.0.1.1"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}