Commons-Compress Security Update (MINDBREEZE19439)
ID: MINDBREEZE19439
Affected Components: Mindbreeze InSpire G7, Mindbreeze InSpire SaaS
Severity: 7.5 High
Status: Final
First published: October 4, 2021
CVEs: CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090
Summary
-
CVE-2021-35515: When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop
-
CVE-2021-35516: When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs
-
CVE-2021-35517: When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs
-
CVE-2021-36090: When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs
Remediation
Hotfix Information
Fixed with following versions of Mindbreeze InSpire On-Premises or Mindbreeze InSpire SaaS:
-
Mindbreeze InSpire 21.2 Release (Version 21.2.1.1027)
-
Mindbreeze InSpire SaaS 21.2 Release (Version 21.2.1.1027)