CVE-2022-36124 – apache-avro

Package

Manager: cargo
Name: apache-avro
Vulnerable Version: >=0 <0.14.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.02955 pctl0.85946

Details

Apache Avro Rust SDK's Reader could consume memory beyond allowed constraints It is possible for a Reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version 0.14.0 which addresses this issue.

Metadata

Created: 2022-08-10T00:00:31Z
Modified: 2022-08-30T20:05:09Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-wcm8-86x6-8mv3/GHSA-wcm8-86x6-8mv3.json
CWE IDs: ["CWE-770"]
Alternative ID: GHSA-wcm8-86x6-8mv3
Finding: F067
Auto approve: 1