GHSA-7hfm-57qf-j43q · Severity: high · Ecosystem: maven — Excessive Iteration in Compress
When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
Conclusion & alert: CVE-2021-35515 is rated High Risk (68.4/100): CVSS High severity, with high exploitation likelihood (EPSS 11.88%, 96th percentile). Core evidence: EPSS ranks this CVE among the most likely to be exploited in the near term. EPSS rose +10.69% over the last day, indicating growing attacker interest. Mandatory action: High exploitation likelihood—assess exposure and prioritize remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 1.19% | 11.88% | +10.69% |
| 2 | 2026-04-27 | 0.60% | 1.19% | +0.59% |
| 3 | 2026-03-04 | — | 0.60% | — |
Full EPSS history (38 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | [email protected] |
| 5.0 | 2.0 | MEDIUM |
|
10.0 | 2.9 | [email protected] |
GHSA-7hfm-57qf-j43q · Severity: high · Ecosystem: maven — Excessive Iteration in Compress
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2021-35515 not yet assigned priority: Debian including 1 source packages (libcommons-compress-java), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 4, open 1. | https://security-tracker.debian.org/tracker/CVE-2021-35515 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2021-35515 |
suse
|
high | CVE-2021-35515 severity important: SUSE including 11 source package names (3.3.2-2.3:apache-commons-compress-1.21-3.3.1, 5.0.0-beta1.2.122:apache-commons-compress-1.21-3.3.1, …), 31 product×package rows across 27 product lines (Container containers/apache-pulsar, Container suse/manager/5.0/x86_64/server, … (27 product lines)): Fixed 31. | https://www.suse.com/security/cve/CVE-2021-35515/ |
ubuntu
|
medium | CVE-2021-35515 medium priority: Ubuntu including 1 source packages (libcommons-compress-java), 16 status rows across 16 suites (bionic, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): ignored 8, needs-triage 7, DNE 1. | https://ubuntu.com/security/CVE-2021-35515 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| apache | commons_compress | >= 1.6, <= 1.20 | cpe:2.3:a:apache:commons_compress:*:*:*:*:*:*:*:* |
| netapp | active_iq_unified_manager | — | cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:* |
| netapp | active_iq_unified_manager | — | cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:* |
| netapp | active_iq_unified_manager | — | cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:* |
| netapp | oncommand_insight | — | cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:* |
| oracle | banking_digital_experience | >= 18.1, <= 18.3 | cpe:2.3:a:oracle:banking_digital_experience:*:*:*:*:*:*:*:* |
| oracle | banking_digital_experience | 19.1 | cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:* |
| oracle | banking_digital_experience | 20.1 | cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:* |
| oracle | banking_digital_experience | 21.1 | cpe:2.3:a:oracle:banking_digital_experience:21.1:*:*:*:*:*:*:* |
| oracle | banking_enterprise_default_management | 2.7.0 | cpe:2.3:a:oracle:banking_enterprise_default_management:2.7.0:*:*:*:*:*:*:* |
| oracle | banking_party_management | 2.7.0 | cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:* |
| oracle | banking_payments | 14.5 | cpe:2.3:a:oracle:banking_payments:14.5:*:*:*:*:*:*:* |
| oracle | banking_trade_finance | 14.5 | cpe:2.3:a:oracle:banking_trade_finance:14.5:*:*:*:*:*:*:* |
| oracle | banking_treasury_management | 14.5 | cpe:2.3:a:oracle:banking_treasury_management:14.5:*:*:*:*:*:*:* |
| oracle | business_process_management_suite | 12.2.1.3.0 | cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:* |
| oracle | business_process_management_suite | 12.2.1.4.0 | cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:* |
| oracle | commerce_guided_search | 11.3.2 | cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:* |
| oracle | communications_billing_and_revenue_management | 12.0.0.4 | cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.4:*:*:*:*:*:*:* |
| oracle | communications_cloud_native_core_automated_test_suite | 1.8.0 | cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.8.0:*:*:*:*:*:*:* |
| oracle | communications_cloud_native_core_service_communication_proxy | 1.14.0 | cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.14.0:*:*:*:*:*:*:* |
| oracle | communications_cloud_native_core_unified_data_repository | 1.14.0 | cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.14.0:*:*:*:*:*:*:* |
| oracle | communications_diameter_intelligence_hub | >= 8.0.0, <= 8.2.3 | cpe:2.3:a:oracle:communications_diameter_intelligence_hub:*:*:*:*:*:*:*:* |
| oracle | communications_session_route_manager | >= 8.0.0, <= 8.2.5 | cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:* |
| oracle | financial_services_crime_and_compliance_management_studio | 8.0.8.2.0 | cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:* |
| oracle | financial_services_crime_and_compliance_management_studio | 8.0.8.3.0 | cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:* |
| oracle | financial_services_enterprise_case_management | 8.0.7.2.0 | cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.2.0:*:*:*:*:*:*:* |
| oracle | financial_services_enterprise_case_management | 8.0.8.1.0 | cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.1.0:*:*:*:*:*:*:* |
| oracle | flexcube_universal_banking | >= 14.0.0, <= 14.3.0 | cpe:2.3:a:oracle:flexcube_universal_banking:*:*:*:*:*:*:*:* |
| oracle | flexcube_universal_banking | 12.4.0 | cpe:2.3:a:oracle:flexcube_universal_banking:12.4.0:*:*:*:*:*:*:* |
| oracle | flexcube_universal_banking | 14.5.0 | cpe:2.3:a:oracle:flexcube_universal_banking:14.5.0:*:*:*:*:*:*:* |
| oracle | healthcare_data_repository | 8.1.0 | cpe:2.3:a:oracle:healthcare_data_repository:8.1.0:*:*:*:*:*:*:* |
| oracle | insurance_policy_administration | 11.0.2 | cpe:2.3:a:oracle:insurance_policy_administration:11.0.2:*:*:*:*:*:*:* |
| oracle | insurance_policy_administration | 11.1.0 | cpe:2.3:a:oracle:insurance_policy_administration:11.1.0:*:*:*:*:*:*:* |
| oracle | insurance_policy_administration | 11.2.8 | cpe:2.3:a:oracle:insurance_policy_administration:11.2.8:*:*:*:*:*:*:* |
| oracle | insurance_policy_administration | 11.3.0 | cpe:2.3:a:oracle:insurance_policy_administration:11.3.0:*:*:*:*:*:*:* |
| oracle | insurance_policy_administration | 11.3.1 | cpe:2.3:a:oracle:insurance_policy_administration:11.3.1:*:*:*:*:*:*:* |
| oracle | peoplesoft_enterprise_peopletools | 8.57 | cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:* |
| oracle | peoplesoft_enterprise_peopletools | 8.58 | cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:* |
| oracle | peoplesoft_enterprise_peopletools | 8.59 | cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:* |
| oracle | primavera_unifier | >= 17.7, <= 17.12 | cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:* |
| oracle | primavera_unifier | 18.8 | cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:* |
| oracle | primavera_unifier | 19.12 | cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:* |
| oracle | primavera_unifier | 20.12 | cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:* |
| oracle | utilities_testing_accelerator | 6.0.0.1.1 | cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:*:*:*:*:*:*:* |
| oracle | utilities_testing_accelerator | 6.0.0.2.2 | cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.2.2:*:*:*:*:*:*:* |
| oracle | utilities_testing_accelerator | 6.0.0.3.1 | cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.3.1:*:*:*:*:*:*:* |
| oracle | communications_messaging_server | 8.1 | cpe:2.3:o:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:* |