Fluid Attacks Database

Description

Apache Avro Java SDK vulnerable to Improper Input Validation When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.

This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	avro	>=0 <1.11.3	1.11.3
maven	org.apache.avro:avro	>=0 <1.11.3	1.11.3
nuget	apache.avro	>=0 <1.11.3	1.11.3

Aliases

1. CVE-2023-394102. NVD-2023-394103. OSV-2023-394104. GHSA-rhrv-645h-fjfh5. GCVE-2023-39410

References

1. https://github.com/apache/avro/commit/a12a7e44ddbe060c3dc731863cad5c15f92678282. https://github.com/apache/avro3. https://github.com/pypa/advisory-database/tree/main/vulns/avro/PYSEC-2023-188.yaml4. https://lists.apache.org/thread/q142wj99cwdd0jo5lvdoxzoymlqyjdds5. https://security.netapp.com/advisory/ntap-20240621-00066. https://www.openwall.com/lists/oss-security/2023/09/29/67. https://issues.apache.org/jira/browse/AVRO-38198. http://www.openwall.com/lists/oss-security/2023/09/29/6

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.