Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
CVE-2021-35516 in dependency org.apache.commons:commons-compress
See original GitHub issueSituation
Testcontainers depends on org.apache.commons:commons-compress version 1.20, which has a reported vulnerability CVE-2021-35516. Specially crafted archives can be used to allocate large amounts of memory, resulting in DoS.
Solution
Please update dependency:
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId>
<version>1.21</version>
</dependency>
Issue Analytics
- State:
- Created 2 years ago
- Reactions:2
- Comments:8 (3 by maintainers)
Top Results From Across the Web
Commons Compress – Dependency Information
Dependency Information · Apache Maven · Apache Buildr · Apache Ivy · Groovy Grape · Gradle/Grails · Scala SBT · Leiningen.
Read more >CVE in commons-compress 1.20 · Issue #69 - GitHub
I can only find the fix for CVE-2021-35516: https://issues.apache.org/jira/browse/COMPRESS-542. Please provide an new release of embedded- ...
Read more >org.apache.commons » commons-compress » 1.0
Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, ...
Read more >Denial of Service (DoS) Affecting org.apache.commons ...
Medium severity (6.5) Denial of Service (DoS) in org.apache.commons:commons-compress | CVE-2021-35516.
Read more >Apache commons-compress security vulnerabilities in IBM ...
Security Bulletin: Multiple vulnerabilities in Apache Commons* ... **[CVE-2021-35516](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Thanks for bringing this to our attention @redcatbear.
Please note that this is not an attack vector for normal Testcontainer usage scenarios and is unlikely to have exploitable consequences.
Thanks for recognizing the issue. I agree that the use case for an exploit is not the typical testcontainer scenario. Still it is a good idea to keep ones software as clean as possible and the fix in this case is luckily trivial.