CVE-2021-35515
HIGHApache Commons Compress 1.6-1.19 - Denial of Service via Crafted 7Z Archive
Title source: llmExploitation Summary
EIP tracks 2 public exploits for CVE-2021-35515. PoCs published by dawetmaster, andikahilmy.
AI-analyzed exploit summary This repository contains the source code of Apache Commons Compress at a vulnerable commit but lacks any exploit code or technical analysis. It appears to be a placeholder or reference for the vulnerable version.
Description
When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
Exploits (2)
nomisec
STUB
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2021-35515-commons-compress-vulnerable
This repository contains the source code of Apache Commons Compress at a vulnerable commit but lacks any exploit code or technical analysis. It appears to be a placeholder or reference for the vulnerable version.
Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target:
Apache Commons Compress
No auth needed
Prerequisites:
Vulnerable version of Apache Commons Compress
MITRE ATT&CK
devstral-2 · analyzed Mar 14, 2026
Full analysis →
nomisec
WRITEUP
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2021-35515-commons-compress-vulnerable
This repository contains the source code of Apache Commons Compress in a vulnerable state (CVE-2021-35515), likely for analysis or testing purposes. It includes build configurations, documentation, and core Java source files but lacks explicit exploit code or technical analysis of the vulnerability itself.
Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target:
Apache Commons Compress (version not explicitly specified)
No auth needed
Prerequisites:
Access to a vulnerable version of Apache Commons Compress
devstral-2 · analyzed Feb 18, 2026
Full analysis →
References (21)
Core 21
Core References
Vendor Advisory x_refsource_misc
https://commons.apache.org/proper/commons-compress/security-reports.html
Vendor Advisory x_refsource_misc
https://lists.apache.org/thread.html/r19ebfd71770ec0617a9ea180e321ef927b3fefb4c81ec5d1902d20ab%40%3Cuser.commons.apache.org%3E
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/07/13/1
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rbaea15ddc5a7c0c6b66660f1d6403b28595e2561bb283eade7d7cd69%40%3Cannounce.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71%40%3Ccommits.pulsar.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rf2f4d7940371a7c7c5b679f50e28fc7fcc82cd00670ced87e013ac88%40%3Ccommits.druid.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rab292091eadd1ecc63c516e9541a7f241091cf2e652b8185a6059945%40%3Ccommits.druid.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rbe91c512c5385181149ab087b6c909825d34299f5c491c6482a2ed57%40%3Ccommits.druid.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e%40%3Cnotifications.skywalking.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee%40%3Cnotifications.skywalking.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742%40%3Cnotifications.skywalking.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a%40%3Cnotifications.skywalking.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040%40%3Cnotifications.skywalking.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae%40%3Cnotifications.skywalking.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c%40%3Cnotifications.skywalking.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b%40%3Cdev.poi.apache.org%3E
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2021.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2022.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20211022-0001/
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujul2022.html
Scores
CVSS v3
7.5
EPSS
0.0119
EPSS Percentile
79.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-834
CWE-835
Status
published
Products (46)
apache/commons_compress
1.6 - 1.20
netapp/active_iq_unified_manager
(3 CPE variants)
netapp/oncommand_insight
oracle/banking_digital_experience
19.1
oracle/banking_digital_experience
20.1
oracle/banking_digital_experience
21.1
oracle/banking_digital_experience
18.1 - 18.3
oracle/banking_enterprise_default_management
2.7.0
oracle/banking_party_management
2.7.0
oracle/banking_payments
14.5
... and 36 more
Published
Jul 13, 2021
Tracked Since
Feb 18, 2026