Vulnerabilities > CVE-2023-39410 - Deserialization of Untrusted Data vulnerability in Apache Avro

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

network

low complexity

apache

CWE-502

NVD

Published: 2023-09-29

Updated: 2023-10-06

Summary

When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue.

Vulnerable Configurations

Part	Description	Count
Application	Apache Apache Avro *	1

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

References

https://lists.apache.org/thread/q142wj99cwdd0jo5lvdoxzoymlqyjdds
https://www.openwall.com/lists/oss-security/2023/09/29/6