{"id":"CVE-2021-37137","details":"The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.","aliases":["GHSA-9vjp-v76f-g363"],"modified":"2026-05-18T05:53:04.975286131Z","published":"2021-10-19T15:15:07.757Z","related":["SUSE-SU-2022:1271-1","SUSE-SU-2022:3617-1","SUSE-SU-2022:3760-1","SUSE-SU-2022:3793-1","openSUSE-SU-2024:14442-1"],"database_specific":{"unresolved_ranges":[{"source":"CPE_FIELD","vendor_product":"debian:debian_linux","cpes":["cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"10.0"},{"last_affected":"11.0"}]},{"source":"CPE_FIELD","vendor_product":"oracle:banking_apis","cpes":["cpe:2.3:a:oracle:banking_apis:*:*:*:*:*:*:*:*","cpe:2.3:a:oracle:banking_apis:19.1:*:*:*:*:*:*:*","cpe:2.3:a:oracle:banking_apis:19.2:*:*:*:*:*:*:*","cpe:2.3:a:oracle:banking_apis:20.1:*:*:*:*:*:*:*","cpe:2.3:a:oracle:banking_apis:21.1:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"18.1"},{"last_affected":"18.3"},{"last_affected":"19.1"},{"last_affected":"19.2"},{"last_affected":"20.1"},{"last_affected":"21.1"}]},{"source":"CPE_FIELD","vendor_product":"oracle:banking_digital_experience","cpes":["cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*","cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*","cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*","cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*","cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*","cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*","cpe:2.3:a:oracle:banking_digital_experience:21.1:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"18.1"},{"last_affected":"18.2"},{"last_affected":"18.3"},{"last_affected":"19.1"},{"last_affected":"19.2"},{"last_affected":"20.1"},{"last_affected":"21.1"}]},{"source":"CPE_FIELD","vendor_product":"oracle:commerce_guided_search","cpes":["cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"11.3.2"}]},{"source":"CPE_FIELD","vendor_product":"oracle:communications_brm_-_elastic_charging_engine","cpes":["cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:*:*:*:*:*:*:*:*","cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.5.0:*:*:*:*:*:*:*"],"extracted_events":[{"fixed":"12.0.0.4.6"},{"last_affected":"12.0.0.5.0"}]},{"source":"CPE_FIELD","vendor_product":"oracle:communications_cloud_native_core_binding_support_function","cpes":["cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.10.0:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"1.10.0"}]},{"source":"CPE_FIELD","vendor_product":"oracle:communications_diameter_signaling_router","cpes":["cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"8.0.0.0"},{"last_affected":"8.5.0.2"}]},{"source":"CPE_FIELD","vendor_product":"oracle:peoplesoft_enterprise_peopletools","cpes":["cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*","cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*","cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"8.57"},{"last_affected":"8.58"},{"last_affected":"8.59"}]},{"source":"CPE_FIELD","vendor_product":"oracle:webcenter_portal","cpes":["cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"12.2.1.3.0"},{"last_affected":"12.2.1.4.0"}]}]},"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e%40%3Cdev.tinkerpop.apache.org%3E"},{"type":"ADVISORY","url":"https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20220210-0012/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2023/dsa-5316"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujul2022.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/netty/netty","events":[{"introduced":"0"},{"fixed":"7d34282f9d2ffdd64c91cb4780b09902d9779b92"}],"database_specific":{"source":"CPE_FIELD","cpe":"cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"4.1.68"}]}}],"versions":["netty-4.1.67.Final","netty-4.1.66.Final","netty-4.1.65.Final","netty-4.1.64.Final","netty-4.1.63.Final","netty-4.1.62.Final","netty-4.1.61.Final","netty-4.1.60.Final","netty-4.1.59.Final","netty-4.1.58.Final","netty-4.1.57.Final","netty-4.1.56.Final","netty-4.1.55.Final","netty-4.1.54.Final","netty-4.1.53.Final","netty-4.1.52.Final","netty-4.1.51.Final","netty-4.1.50.Final","netty-4.1.49.Final","netty-4.1.48.Final","netty-4.1.47.Final","netty-4.1.46.Final","netty-4.1.45.Final","netty-4.1.44.Final","netty-4.1.43.Final","netty-4.1.42.Final","netty-4.1.41.Final","netty-4.1.40.Final","netty-4.1.39.Final","netty-4.1.38.Final","netty-4.1.37.Final","netty-4.1.36.Final","netty-4.1.35.Final","netty-4.1.34.Final","netty-4.1.33.Final","netty-4.1.32.Final","netty-4.1.31.Final","netty-4.1.30.Final","netty-4.1.29.Final","netty-4.1.28.Final","netty-4.1.27.Final","netty-4.1.26.Final","netty-4.1.25.Final","netty-4.1.24.Final","netty-4.1.23.Final","netty-4.1.22.Final","netty-4.1.21.Final","netty-4.1.20.Final","netty-4.1.19.Final","netty-4.1.18.Final","netty-4.1.17.Final","netty-4.1.16.Final","netty-4.1.15.Final","netty-4.1.14.Final","netty-4.1.13.Final","netty-4.1.12.Final","netty-4.1.11.Final","netty-4.1.10.Final","netty-4.1.9.Final","netty-4.1.8.Final","netty-4.1.7.Final","netty-4.1.6.Final","netty-4.1.5.Final","netty-4.1.4.Final","netty-4.1.3.Final","netty-4.1.2.Final","netty-4.1.1.Final","netty-4.1.0.Final","netty-4.1.0.CR7","netty-4.1.0.CR6","netty-4.1.0.CR5","netty-4.1.0.CR4","netty-4.1.0.CR3","netty-4.1.0.CR2","netty-4.1.0.CR1","netty-4.1.0.Beta8","netty-4.1.0.Beta7","netty-4.1.0.Beta6","netty-4.1.0.Beta5","netty-4.1.0.Beta4","netty-4.1.0.Beta3","netty-4.1.0.Beta2","netty-4.1.0.Beta1","netty-4.0.15.Final","netty-4.0.14.Final","netty-4.0.14.Beta1","netty-4.0.13.Final","netty-4.0.12.Final","netty-4.0.11.Final","netty-4.0.10.Final","netty-4.0.8.Final","netty-4.0.7.Final","netty-4.0.6.Final","netty-4.0.5.Final","netty-4.0.4.Final","netty-4.0.3.Final","netty-4.0.2.Final","netty-4.0.1.Final","netty-4.0.0.Final","netty-4.0.0.CR9","netty-4.0.0.CR8","netty-4.0.0.CR7","netty-4.0.0.CR5","netty-4.0.0.CR4","netty-4.0.0.CR3","netty-4.0.0.CR2","netty-4.0.0.CR1","netty-4.0.0.Beta3","netty-4.0.0.Beta2","netty-4.0.0.Beta1","netty-4.0.0.Alpha8","netty-4.0.0.Alpha7","netty-4.0.0.Alpha6","netty-4.0.0.Alpha5","netty-4.0.0.Alpha4","netty-4.0.0.Alpha3","netty-4.0.0.Alpha2","netty-4.0.0.Alpha1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-37137.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/quarkusio/quarkus","events":[{"introduced":"0"},{"fixed":"d0ffa05fe8b8fb258d6c177ff0427dd71d7d5210"}],"database_specific":{"source":"CPE_FIELD","cpe":"cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"2.2.4"}]}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-37137.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}