{"id":"CVE-2021-37136","details":"The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack","aliases":["GHSA-grg4-wf29-r9vv"],"modified":"2026-05-15T12:14:09.433551862Z","published":"2021-10-19T15:15:07.697Z","related":["SUSE-SU-2022:1271-1","SUSE-SU-2022:3617-1","SUSE-SU-2022:3760-1","SUSE-SU-2022:3793-1","openSUSE-SU-2024:14442-1"],"database_specific":{"unresolved_ranges":[{"cpes":["cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"10.0"},{"last_affected":"11.0"}],"source":"CPE_FIELD","vendor_product":"debian:debian_linux"},{"cpes":["cpe:2.3:a:oracle:banking_apis:*:*:*:*:*:*:*:*","cpe:2.3:a:oracle:banking_apis:19.1:*:*:*:*:*:*:*","cpe:2.3:a:oracle:banking_apis:19.2:*:*:*:*:*:*:*","cpe:2.3:a:oracle:banking_apis:20.1:*:*:*:*:*:*:*","cpe:2.3:a:oracle:banking_apis:21.1:*:*:*:*:*:*:*"],"vendor_product":"oracle:banking_apis","source":"CPE_FIELD","extracted_events":[{"introduced":"18.1"},{"last_affected":"18.3"},{"last_affected":"19.1"},{"last_affected":"19.2"},{"last_affected":"20.1"},{"last_affected":"21.1"}]},{"cpes":["cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*","cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*","cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*","cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*","cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*","cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*","cpe:2.3:a:oracle:banking_digital_experience:21.1:*:*:*:*:*:*:*"],"vendor_product":"oracle:banking_digital_experience","source":"CPE_FIELD","extracted_events":[{"last_affected":"18.1"},{"last_affected":"18.2"},{"last_affected":"18.3"},{"last_affected":"19.1"},{"last_affected":"19.2"},{"last_affected":"20.1"},{"last_affected":"21.1"}]},{"cpes":["cpe:2.3:a:oracle:coherence:12.2.1.4.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:coherence:14.1.1.0.0:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"12.2.1.4.0"},{"last_affected":"14.1.1.0.0"}],"source":"CPE_FIELD","vendor_product":"oracle:coherence"},{"cpes":["cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"11.3.2"}],"source":"CPE_FIELD","vendor_product":"oracle:commerce_guided_search"},{"cpes":["cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:*:*:*:*:*:*:*:*","cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12:0.0.5.0:*:*:*:*:*:*"],"extracted_events":[{"fixed":"12.0.0.4.6"},{"last_affected":"12-0\\.0\\.5\\.0"}],"source":"CPE_FIELD","vendor_product":"oracle:communications_brm_-_elastic_charging_engine"},{"cpes":["cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.10.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.11.0:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"1.10.0"},{"last_affected":"1.11.0"}],"source":"CPE_FIELD","vendor_product":"oracle:communications_cloud_native_core_binding_support_function"},{"cpes":["cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"1.8.0"}],"source":"CPE_FIELD","vendor_product":"oracle:communications_cloud_native_core_network_slice_selection_function"},{"cpes":["cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"1.15.0"}],"source":"CPE_FIELD","vendor_product":"oracle:communications_cloud_native_core_policy"},{"cpes":["cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.7.0:*:*:*:*:*:*:*"],"vendor_product":"oracle:communications_cloud_native_core_security_edge_protection_proxy","source":"CPE_FIELD","extracted_events":[{"last_affected":"1.7.0"}]},{"cpes":["cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.15.0:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"1.15.0"}],"source":"CPE_FIELD","vendor_product":"oracle:communications_cloud_native_core_unified_data_repository"},{"cpes":["cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*"],"vendor_product":"oracle:communications_diameter_signaling_router","source":"CPE_FIELD","extracted_events":[{"introduced":"8.0.0.0"},{"last_affected":"8.5.0.2"}]},{"cpes":["cpe:2.3:a:oracle:communications_instant_messaging_server:8.1:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"8.1"}],"source":"CPE_FIELD","vendor_product":"oracle:communications_instant_messaging_server"},{"cpes":["cpe:2.3:a:oracle:helidon:1.4.10:*:*:*:*:*:*:*","cpe:2.3:a:oracle:helidon:2.4.0:*:*:*:*:*:*:*"],"vendor_product":"oracle:helidon","source":"CPE_FIELD","extracted_events":[{"last_affected":"1.4.10"},{"last_affected":"2.4.0"}]},{"cpes":["cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.48:*:*:*:*:*:*:*","cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*","cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*","cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"8.48"},{"last_affected":"8.57"},{"last_affected":"8.58"},{"last_affected":"8.59"}],"source":"CPE_FIELD","vendor_product":"oracle:peoplesoft_enterprise_peopletools"},{"cpes":["cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*"],"vendor_product":"oracle:webcenter_portal","source":"CPE_FIELD","extracted_events":[{"last_affected":"12.2.1.3.0"},{"last_affected":"12.2.1.4.0"}]}]},"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e%40%3Cdev.tinkerpop.apache.org%3E"},{"type":"ADVISORY","url":"https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20220210-0012/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2023/dsa-5316"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}