CVE-2021-36374

Apache Ant ZIP, and ZIP based, archive denial of service vulerability

Description

When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.

Remediation

Workaround:

  • Apache Ant 1.9.x users should upgrade to 1.9.16 or later. Apache Ant 1.10.x users should upgrade to 1.10.11 or later.

Category

5.5
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.15%
Vendor Advisory apache.org Vendor Advisory apache.org
Affected: Apache Software Foundation Apache Ant
Published at:
Updated at:

References

Link Tags
https://ant.apache.org/security.html patch vendor advisory
https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38%40%3Cuser.ant.apache.org%3E vendor advisory mailing list
https://lists.apache.org/thread.html/r27919fd4db07c487239c1d9771f480d89ce5ee2750aa9447309b709a%40%3Ccommits.groovy.apache.org%3E mailing list
https://lists.apache.org/thread.html/r544c9e8487431768465b8b2d13982c75123109bd816acf839d46010d%40%3Ccommits.groovy.apache.org%3E mailing list
https://lists.apache.org/thread.html/rad36f470647c5a7c02dd78c9973356d2840766d132b597b6444e373a%40%3Cnotifications.groovy.apache.org%3E mailing list
https://lists.apache.org/thread.html/rf4bb79751a02889623195715925e4fd8932dd3c97e0ade91395a96c6%40%3Cdev.myfaces.apache.org%3E mailing list
https://www.oracle.com/security-alerts/cpuoct2021.html third party advisory patch
https://security.netapp.com/advisory/ntap-20210819-0007/ third party advisory
https://www.oracle.com/security-alerts/cpujan2022.html third party advisory patch
https://www.oracle.com/security-alerts/cpuapr2022.html third party advisory patch
https://www.oracle.com/security-alerts/cpujul2022.html third party advisory patch

Frequently Asked Questions

What is the severity of CVE-2021-36374?
CVE-2021-36374 has been scored as a medium severity vulnerability.
How to fix CVE-2021-36374?
As a workaround for remediating CVE-2021-36374: Apache Ant 1.9.x users should upgrade to 1.9.16 or later. Apache Ant 1.10.x users should upgrade to 1.10.11 or later.
Is CVE-2021-36374 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2021-36374 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-36374?
CVE-2021-36374 affects Apache Software Foundation Apache Ant.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.