CVE-2021-35516

HIGH

Apache Commons Compress 1.6-1.19 - Denial of Service via Malicious 7Z Archive

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-35516. PoCs published by dawetmaster, andikahilmy.

AI-analyzed exploit summary The repository contains only partial source code files from Apache Commons Compress without any exploit code or technical analysis. No PoC or vulnerability demonstration is present.

Description

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Exploits (2)

nomisec STUB

by dawetmaster · poc

https://github.com/dawetmaster/CVE-2021-35516-commons-compress-vulnerable

View Code ZIP pw:eip

The repository contains only partial source code files from Apache Commons Compress without any exploit code or technical analysis. No PoC or vulnerability demonstration is present.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: Apache Commons Compress

No auth needed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Mar 14, 2026 Full analysis →

nomisec WORKING POC

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2021-35516-commons-compress-vulnerable

View Code ZIP pw:eip

This repository contains the vulnerable source code of Apache Commons Compress, specifically the files related to archive handling. The code includes the vulnerable components that could lead to arbitrary file write or path traversal (CVE-2021-35516).

Classification

Working Poc 90%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: Apache Commons Compress

No auth needed

Prerequisites: Access to a system using Apache Commons Compress to process malicious archives

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1222 - File and Directory Permissions Modification

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (18)

Core 18

Core References

Vendor Advisory x_refsource_misc

https://commons.apache.org/proper/commons-compress/security-reports.html

Mailing List, Vendor Advisory x_refsource_misc

https://lists.apache.org/thread.html/rf68442d67eb166f4b6cf0bbbe6c7f99098c12954f37332073c9822ca%40%3Cuser.commons.apache.org%3E

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2021/07/13/2

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rf5b1016fb15b7118b9a5e16bb0b78cb4f1dfcf7821eb137ab5757c91%40%3Cannounce.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71%40%3Ccommits.pulsar.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e%40%3Cnotifications.skywalking.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee%40%3Cnotifications.skywalking.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742%40%3Cnotifications.skywalking.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a%40%3Cnotifications.skywalking.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040%40%3Cnotifications.skywalking.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae%40%3Cnotifications.skywalking.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c%40%3Cnotifications.skywalking.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b%40%3Cdev.poi.apache.org%3E

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuoct2021.html

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpujan2022.html

Third Party Advisory x_refsource_confirm

https://security.netapp.com/advisory/ntap-20211022-0001/

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpujul2022.html

Scores

CVSS v3 7.5

EPSS 0.0174

EPSS Percentile 83.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-130 CWE-770

Status published

Products (46)

apache/commons_compress 1.6 - 1.20

netapp/active_iq_unified_manager (3 CPE variants)

netapp/oncommand_insight

oracle/banking_digital_experience 19.1

oracle/banking_digital_experience 19.2

oracle/banking_digital_experience 20.1

oracle/banking_digital_experience 21.1

oracle/banking_digital_experience 18.1 - 18.3

oracle/banking_enterprise_default_management 2.7.0

oracle/banking_party_management 2.7.0

... and 36 more

Published Jul 13, 2021

Tracked Since Feb 18, 2026