logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-47561 org.apache.avro:avro

Package

Manager: maven
Name: org.apache.avro:avro
Vulnerable Version: >=0 <1.11.4

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01594 pctl0.80957

Details

Apache Avro Java SDK: Arbitrary Code Execution when reading Avro Data (Java SDK) Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code. Users are recommended to upgrade to version 1.11.4 or 1.12.0, which fix this issue.

Metadata

Created: 2024-10-03T12:30:48Z
Modified: 2025-07-10T23:19:27Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-r7pg-v2c8-mfg3/GHSA-r7pg-v2c8-mfg3.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-r7pg-v2c8-mfg3
Finding: F096
Auto approve: 1