VDB
ALPINE-CVE-2021-35940
ALPINE-CVE-2021-35940
PUBLISHED
CVSS 7.099999904632568 HIGH
An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue.
Risk Scores
CVSS v3.1
7.099999904632568
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Alpine:v3.20 | apr | 0, 1.7.0-r1, 1.7.0-r0 |
| Alpine:v3.21 | apr | 1.7.0-r1, 1.3.3-r0, 1.3.5-r0 |
| Alpine:v3.17 | apr | 1.7.0-r1, 0, 1.3.3-r0 |
| Alpine:v3.19 | apr | 1.6.3-r0, 0, 1.3.3-r0 |
| Alpine:v3.22 | apr | 0, 1.3.3-r0, 1.3.7-r0 |
| Alpine:v3.14 | apr | 0, 1.3.3-r0, 1.3.7-r0 |
| Alpine:v3.23 | apr | 1.4.5-r2, 1.3.3-r0, 1.3.5-r0 |
| Alpine:v3.16 | apr | 1.4.5-r1, 1.4.5-r0, 1.4.4-r0 |
| Alpine:v3.15 | apr | 1.4.2-r3, 1.3.5-r0, 1.3.8-r0 |
| Alpine:v3.18 | apr | 0, 1.3.3-r0, 1.3.5-r0 |
Timeline
- Aug 23, 2021 CVE Published
- Dec 3, 2025 CVE Updated
- Apr 30, 2026 Distribution Patch