{"id":"CVE-2021-37136","details":"The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack","aliases":["GHSA-grg4-wf29-r9vv"],"modified":"2026-04-10T04:35:47.010030Z","published":"2021-10-19T15:15:07.697Z","related":["GHSA-grg4-wf29-r9vv","SUSE-SU-2022:1271-1","SUSE-SU-2022:3617-1","SUSE-SU-2022:3760-1","SUSE-SU-2022:3793-1","openSUSE-SU-2024:14442-1"],"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e%40%3Cdev.tinkerpop.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d%40%3Ccommits.druid.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html"},{"type":"ADVISORY","url":"https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20220210-0012/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2023/dsa-5316"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/netty/netty","events":[{"introduced":"0"},{"fixed":"7d34282f9d2ffdd64c91cb4780b09902d9779b92"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.1.68"}]}},{"type":"GIT","repo":"https://github.com/oracle/helidon","events":[{"introduced":"0"},{"last_affected":"1c36ce7b6f19282361f30643ce7b973545cbdd67"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.4.10"}]}},{"type":"GIT","repo":"https://github.com/quarkusio/quarkus","events":[{"introduced":"0"},{"fixed":"d0ffa05fe8b8fb258d6c177ff0427dd71d7d5210"},{"introduced":"0"},{"last_affected":"36f3921e00ed5568b04ab93eda3433fd3b73622f"},{"introduced":"0"},{"last_affected":"19f493aee8083cacba182d11945a3e99c2e45db4"},{"introduced":"0"},{"last_affected":"e0ec828bc92ce02c8bd29fa37e9e07f16eea28f4"},{"introduced":"0"},{"last_affected":"23590232e1cbfa38916951508719cd0ce5f0767e"},{"introduced":"0"},{"last_affected":"3e8eee41b901e9dcbdd82dc048e05ed0627ec859"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.2.4"},{"introduced":"0"},{"last_affected":"1.10.0"},{"introduced":"0"},{"last_affected":"1.11.0"},{"introduced":"0"},{"last_affected":"1.8.0"},{"introduced":"0"},{"last_affected":"1.7.0"},{"introduced":"0"},{"last_affected":"2.4.0"}]}}],"versions":["1.10.0.Final","1.11.0.Final","1.4.10","1.7.0.Final","1.8.0.Final","2.4.0.Final","netty-4.0.0.Alpha1","netty-4.0.0.Alpha2","netty-4.0.0.Alpha3","netty-4.0.0.Alpha4","netty-4.0.0.Alpha5","netty-4.0.0.Alpha6","netty-4.0.0.Alpha7","netty-4.0.0.Alpha8","netty-4.0.0.Beta1","netty-4.0.0.Beta2","netty-4.0.0.Beta3","netty-4.0.0.CR1","netty-4.0.0.CR2","netty-4.0.0.CR3","netty-4.0.0.CR4","netty-4.0.0.CR5","netty-4.0.0.CR7","netty-4.0.0.CR8","netty-4.0.0.CR9","netty-4.0.0.Final","netty-4.0.1.Final","netty-4.0.10.Final","netty-4.0.11.Final","netty-4.0.12.Final","netty-4.0.13.Final","netty-4.0.14.Beta1","netty-4.0.14.Final","netty-4.0.15.Final","netty-4.0.2.Final","netty-4.0.3.Final","netty-4.0.4.Final","netty-4.0.5.Final","netty-4.0.6.Final","netty-4.0.7.Final","netty-4.0.8.Final","netty-4.1.0.Beta1","netty-4.1.0.Beta2","netty-4.1.0.Beta3","netty-4.1.0.Beta4","netty-4.1.0.Beta5","netty-4.1.0.Beta6","netty-4.1.0.Beta7","netty-4.1.0.Beta8","netty-4.1.0.CR1","netty-4.1.0.CR2","netty-4.1.0.CR3","netty-4.1.0.CR4","netty-4.1.0.CR5","netty-4.1.0.CR6","netty-4.1.0.CR7","netty-4.1.0.Final","netty-4.1.1.Final","netty-4.1.10.Final","netty-4.1.11.Final","netty-4.1.12.Final","netty-4.1.13.Final","netty-4.1.14.Final","netty-4.1.15.Final","netty-4.1.16.Final","netty-4.1.17.Final","netty-4.1.18.Final","netty-4.1.19.Final","netty-4.1.2.Final","netty-4.1.20.Final","netty-4.1.21.Final","netty-4.1.22.Final","netty-4.1.23.Final","netty-4.1.24.Final","netty-4.1.25.Final","netty-4.1.26.Final","netty-4.1.27.Final","netty-4.1.28.Final","netty-4.1.29.Final","netty-4.1.3.Final","netty-4.1.30.Final","netty-4.1.31.Final","netty-4.1.32.Final","netty-4.1.33.Final","netty-4.1.34.Final","netty-4.1.35.Final","netty-4.1.36.Final","netty-4.1.37.Final","netty-4.1.38.Final","netty-4.1.39.Final","netty-4.1.4.Final","netty-4.1.40.Final","netty-4.1.41.Final","netty-4.1.42.Final","netty-4.1.43.Final","netty-4.1.44.Final","netty-4.1.45.Final","netty-4.1.46.Final","netty-4.1.47.Final","netty-4.1.48.Final","netty-4.1.49.Final","netty-4.1.5.Final","netty-4.1.50.Final","netty-4.1.51.Final","netty-4.1.52.Final","netty-4.1.53.Final","netty-4.1.54.Final","netty-4.1.55.Final","netty-4.1.56.Final","netty-4.1.57.Final","netty-4.1.58.Final","netty-4.1.59.Final","netty-4.1.6.Final","netty-4.1.60.Final","netty-4.1.61.Final","netty-4.1.62.Final","netty-4.1.63.Final","netty-4.1.64.Final","netty-4.1.65.Final","netty-4.1.66.Final","netty-4.1.67.Final","netty-4.1.7.Final","netty-4.1.8.Final","netty-4.1.9.Final"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"18.1"},{"last_affected":"18.3"}]},{"events":[{"introduced":"0"},{"last_affected":"19.1"}]},{"events":[{"introduced":"0"},{"last_affected":"19.2"}]},{"events":[{"introduced":"0"},{"last_affected":"20.1"}]},{"events":[{"introduced":"0"},{"last_affected":"21.1"}]},{"events":[{"introduced":"0"},{"last_affected":"18.1"}]},{"events":[{"introduced":"0"},{"last_affected":"18.2"}]},{"events":[{"introduced":"0"},{"last_affected":"18.3"}]},{"events":[{"introduced":"0"},{"last_affected":"19.1"}]},{"events":[{"introduced":"0"},{"last_affected":"19.2"}]},{"events":[{"introduced":"0"},{"last_affected":"20.1"}]},{"events":[{"introduced":"0"},{"last_affected":"21.1"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"14.1.1.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.3.2"}]},{"events":[{"introduced":"0"},{"fixed":"12.0.0.4.6"}]},{"events":[{"introduced":"0"},{"last_affected":"12-0\\.0\\.5\\.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.15.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.15.0"}]},{"events":[{"introduced":"8.0.0.0"},{"last_affected":"8.5.0.2"}]},{"events":[{"introduced":"0"},{"last_affected":"8.1"}]},{"events":[{"introduced":"0"},{"last_affected":"8.48"}]},{"events":[{"introduced":"0"},{"last_affected":"8.57"}]},{"events":[{"introduced":"0"},{"last_affected":"8.58"}]},{"events":[{"introduced":"0"},{"last_affected":"8.59"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-37136.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}