CVE-2021-35940
Public on 2021-08-23
Modified on 2024-02-13
Description
An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | apr | 2023-02-13 | ALAS2-2023-1936 | Fixed |
| Amazon Linux 2023 | apr | 2023-02-17 | ALAS2023-2023-016 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 7.1 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H |
| NVD | CVSSv2 | 3.6 | AV:L/AC:L/Au:N/C:P/I:N/A:P |
| NVD | CVSSv3 | 7.1 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H |