'[oss-security] CVE-2023-39410: Apache Avro Java SDK: Memory when deserializing untrusted data in Avr'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2023-39410: Apache Avro Java SDK: Memory when deserializing untrusted data in Avr
From:       Ryan Skraba <rskraba () apache ! org>
Date:       2023-09-29 16:12:45
Message-ID: b6e3aaa0-5d6b-cb13-d602-142f325a5544 () apache ! org
[Download RAW message or body]

Severity: low

Affected versions:

- Apache Avro Java SDK before 1.11.3

Description:

When deserializing untrusted or corrupted data, it is possible for a reader to consume memory \
beyond the allowed constraints and thus lead to out of memory on the system.

This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2.  \
Users should update to apache-avro version 1.11.3 which addresses this issue.

This issue is being tracked as AVRO-3819 

Credit:

Adam Korczynski at ADA Logics Ltd (finder)

References:

https://avro.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-39410
https://issues.apache.org/jira/browse/AVRO-3819

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic