CVE-2021-35517

HIGH

Apache Commons Compress 1.1-1.19 - Denial of Service via Malicious TAR Archive

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-35517. PoCs published by dawetmaster, andikahilmy.

AI-analyzed exploit summary This repository contains the vulnerable source code of Apache Commons Compress, specifically the archivers module, which is affected by CVE-2021-35517. The code includes the necessary classes to reproduce the vulnerability, likely related to archive entry handling.

Description

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

Exploits (2)

nomisec WORKING POC
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2021-35517-commons-compress-vulnerable

This repository contains the vulnerable source code of Apache Commons Compress, specifically the archivers module, which is affected by CVE-2021-35517. The code includes the necessary classes to reproduce the vulnerability, likely related to archive entry handling.

Classification
Working Poc 90%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Apache Commons Compress
No auth needed
Prerequisites: vulnerable version of Apache Commons Compress
devstral-2 · analyzed Mar 14, 2026 Full analysis →
nomisec WORKING POC
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2021-35517-commons-compress-vulnerable

This repository contains a vulnerable version of Apache Commons Compress, specifically targeting CVE-2021-35517, which involves an infinite loop vulnerability in the ARJ archive parsing. The provided code includes the full source of the vulnerable library, allowing for exploitation testing.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Apache Commons Compress < 1.21
No auth needed
Prerequisites: A system running a vulnerable version of Apache Commons Compress · Ability to provide a maliciously crafted ARJ archive file
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (22)

Core 22
Core References
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/07/13/3
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/07/13/5
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2021.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2022.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20211022-0001/
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujul2022.html

Scores

CVSS v3 7.5
EPSS 0.0132
EPSS Percentile 80.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-130 CWE-770
Status published
Products (48)
apache/commons_compress 1.1 - 1.20
netapp/active_iq_unified_manager (3 CPE variants)
netapp/oncommand_insight
oracle/banking_apis 19.1
oracle/banking_apis 19.2
oracle/banking_apis 20.1
oracle/banking_apis 21.1
oracle/banking_apis 18.1 - 18.3
oracle/banking_digital_experience 19.1
oracle/banking_digital_experience 19.2
... and 38 more
Published Jul 13, 2021
Tracked Since Feb 18, 2026