CVE-2022-35724 – apache-avro

Package

Manager: cargo
Name: apache-avro
Vulnerable Version: >=0 <0.14.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00698 pctl0.71074

Details

Apache Avro Rust SDK vulnerable to reader looping in cycle endlessly, consuming CPU It is possible to provide data to be read that leads the reader to loop in cycles endlessly, consuming CPU. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version 0.14.0 which addresses this issue.

Metadata

Created: 2022-08-10T00:00:31Z
Modified: 2022-08-18T19:15:54Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-v456-chpw-6mmw/GHSA-v456-chpw-6mmw.json
CWE IDs: ["CWE-835"]
Alternative ID: GHSA-v456-chpw-6mmw
Finding: F138
Auto approve: 1