{"schema_version": "1.6.1", "id": "CVE-2021-35940", "summary": "Regression of CVE-2017-12613", "details": "An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613).  The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue.", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "Apache Portable Runtime 1.7.0"}, {"last_affected": "Apache Portable Runtime 1.7.0"}]}]}], "references": [{"type": "ADVISORY", "url": "http://svn.apache.org/viewvc?view=revision&revision=1891198%20"}, {"type": "ADVISORY", "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201710.mbox/%3CCACsi251B8UaLvM-rrH9fv57-zWi0zhyF3275_jPg1a9VEVVoxw%40mail.gmail.com%3E"}, {"type": "ADVISORY", "url": "https://downloads.apache.org/apr/patches/apr-1.7.0-CVE-2021-35940.patch"}, {"type": "ADVISORY", "url": "https://lists.apache.org/thread.html/ra2868b53339a6af65577146ad87016368c138388b09bff9d2860f50e%40%3Cdev.apr.apache.org%3E"}]}