CVE-2023-39410

Опубликовано: 29 сент. 2023

Источник: nvd

CVSS3: 7.5

EPSS Низкий

Описание

When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.

This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue.

Ссылки

https://lists.apache.org/thread/q142wj99cwdd0jo5lvdoxzoymlqyjdds
Mailing List
Vendor Advisory
https://security.netapp.com/advisory/ntap-20240621-0006/
https://www.openwall.com/lists/oss-security/2023/09/29/6
Mailing List
Third Party Advisory
https://lists.apache.org/thread/q142wj99cwdd0jo5lvdoxzoymlqyjdds
Mailing List
Vendor Advisory
https://security.netapp.com/advisory/ntap-20240621-0006/
https://www.openwall.com/lists/oss-security/2023/09/29/6
Mailing List
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:avro:*:*:*:*:*:-:*:*

Версия до 1.11.3 (исключая)

EPSS

Процентиль: 19%

0.00061

Низкий

7.5 High

CVSS3

Дефекты

CWE-502

Связанные уязвимости

CVE-2023-39410

CVSS3: 7.5

redhat

больше 2 лет назад

When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue.

GHSA-rhrv-645h-fjfh

CVSS3: 7.5

github

больше 2 лет назад

Apache Avro Java SDK vulnerable to Improper Input Validation

BDU:2024-02310

CVSS3: 7.5

fstec

больше 2 лет назад

Уязвимость библиотеки сериализации данных Apache Avro, связанная с недостатками механизма десериализации, позволяющая нарушителю вызвать отказ в обслуживании

EPSS

Процентиль: 19%

0.00061

Низкий

7.5 High

CVSS3

Дефекты

CWE-502