Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK
CVE-2023-39410

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Avro Java SDK
Vendor: CVE Published:; 29 September 2023

Summary

A vulnerability exists in the Apache Avro Java SDK that allows for memory consumption beyond intended limits during the deserialization of untrusted or corrupted data. This can lead to an out-of-memory condition, affecting the stability and performance of Java applications. Users are strongly advised to update to version 1.11.3 or later to mitigate this issue effectively.

Affected Version(s)

Apache Avro Java SDK 0 < 1.11.3

References

https://lists.apache.org/thread/q142wj99cwdd0jo5lvdoxzoym...

vendor-advisory

https://www.openwall.com/lists/oss-security/2023/09/29/6

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 29, 2023
Vulnerability Reserved
Jul 31, 2023

Credit

Adam Korczynski at ADA Logics Ltd