oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2023-39410: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK

From: Ryan Skraba <rskraba () apache org>
Date: Fri, 29 Sep 2023 16:12:45 +0000
Severity: low

Affected versions:

- Apache Avro Java SDK before 1.11.3

Description:

When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed 
constraints and thus lead to out of memory on the system.

This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2.  Users should update to 
apache-avro version 1.11.3 which addresses this issue.

This issue is being tracked as AVRO-3819 

Credit:

Adam Korczynski at ADA Logics Ltd (finder)

References:

https://avro.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-39410
https://issues.apache.org/jira/browse/AVRO-3819
Previous By Date Next
Previous By Thread Next

Current thread: