Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1yaHJ2LTY0NWgtZmpmaM4AA2Jb

Apache Avro Java SDK vulnerable to Improper Input Validation

When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.

This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue.

Permalink: https://github.com/advisories/GHSA-rhrv-645h-fjfh
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yaHJ2LTY0NWgtZmpmaM4AA2Jb
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 8 months ago
Updated: 6 months ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-rhrv-645h-fjfh, CVE-2023-39410
References:

Repository: https://github.com/apache/avro
Blast Radius: 54.2

Affected Packages

pypi:avro

Dependent packages: 46
Dependent repositories: 1,066
Downloads: 7,096,367 last month
Affected Version Ranges: >= 0, < 1.11.3
Fixed in: 1.11.3
All affected versions: 1.3.3, 1.4.1, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.8.0, 1.8.1, 1.8.2, 1.9.0, 1.9.1, 1.9.2, 1.10.0, 1.10.1, 1.10.2, 1.11.0, 1.11.1, 1.11.2
All unaffected versions: 1.11.3

maven:org.apache.avro:avro

Dependent packages: 1,964
Dependent repositories: 15,858
Downloads:
Affected Version Ranges: < 1.11.3
Fixed in: 1.11.3
All affected versions: 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.8.0, 1.8.1, 1.8.2, 1.9.0, 1.9.1, 1.9.2, 1.10.0, 1.10.1, 1.10.2, 1.11.0, 1.11.1, 1.11.2
All unaffected versions: 1.11.3