1. Home
  2. Vulnerabilities
  3. CVE-2021-37137

CVE-2021-37137

CVSS v3.1 7.5 (High)
75% Progress
CVSS v2.0 5 (Medium)
50% Progress
EPSS 1.05 % (84th)
1.05% Progress
Affected Products 12
Advisories 8
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software OVAL Tools, Exploits & PoC Graph Web & Social Timeline

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.

Weaknesses
CWE-400
Uncontrolled Resource Consumption
CVE Status
PUBLISHED
CNA
JFrog
Published Date
2021-10-19 15:15:07
(2 years ago)
Updated Date
2023-11-07 03:36:54
(10 months ago)

Affected Products

Debian

Netapp

Netty

Oracle

Quarkus

Configuration #1

    CPE23 From Up To
  Netty prior 4.1.68 version cpe:2.3:a:netty:netty < 4.1.68

Configuration #2

    CPE23 From Up To
  Oracle Banking Apis from 18.1 version and 18.3 and prior versions cpe:2.3:a:oracle:banking_apis >= 18.1 <= 18.3
  Oracle Banking Apis 19.1 cpe:2.3:a:oracle:banking_apis:19.1
  Oracle Banking Apis 19.2 cpe:2.3:a:oracle:banking_apis:19.2
  Oracle Banking Apis 20.1 cpe:2.3:a:oracle:banking_apis:20.1
  Oracle Banking Apis 21.1 cpe:2.3:a:oracle:banking_apis:21.1
  Oracle Banking Digital Experience 18.1 cpe:2.3:a:oracle:banking_digital_experience:18.1
  Oracle Banking Digital Experience 18.2 cpe:2.3:a:oracle:banking_digital_experience:18.2
  Oracle Banking Digital Experience 18.3 cpe:2.3:a:oracle:banking_digital_experience:18.3
  Oracle Banking Digital Experience 19.1 cpe:2.3:a:oracle:banking_digital_experience:19.1
  Oracle Banking Digital Experience 19.2 cpe:2.3:a:oracle:banking_digital_experience:19.2
  Oracle Banking Digital Experience 20.1 cpe:2.3:a:oracle:banking_digital_experience:20.1
  Oracle Banking Digital Experience 21.1 cpe:2.3:a:oracle:banking_digital_experience:21.1
  Oracle Commerce Guided Search 11.3.2 cpe:2.3:a:oracle:commerce_guided_search:11.3.2
  Oracle Communications Brm - Elastic Charging Engine prior 12.0.0.4.6 version cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine < 12.0.0.4.6
  Oracle Communications Brm - Elastic Charging Engine 12.0.0.5.0 cpe:2.3:a:oracle:communications_brm_-_elastic_charging_engine:12.0.0.5.0
  Oracle Communications Cloud Native Core Binding Support Function 1.10.0 cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.10.0
  Oracle Communications Diameter Signaling Router from 8.0.0.0 version and 8.5.0.2 and prior versions cpe:2.3:a:oracle:communications_diameter_signaling_router >= 8.0.0.0 <= 8.5.0.2
  Oracle Peoplesoft Enterprise Peopletools 8.57 cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57
  Oracle Peoplesoft Enterprise Peopletools 8.58 cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58
  Oracle Peoplesoft Enterprise Peopletools 8.59 cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59
  Oracle Webcenter Portal 12.2.1.3.0 cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0
  Oracle Webcenter Portal 12.2.1.4.0 cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0

Configuration #3

    CPE23 From Up To
  Quarkus prior 2.2.4 version cpe:2.3:a:quarkus:quarkus < 2.2.4

Configuration #4

    CPE23 From Up To
  Netapp Oncommand Insight cpe:2.3:a:netapp:oncommand_insight:-

Configuration #5

    CPE23 From Up To
  Debian Linux 10.0 cpe:2.3:o:debian:debian_linux:10.0
  Debian Linux 11.0 cpe:2.3:o:debian:debian_linux:11.0