Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2024-47561

Опубликовано: 03 окт. 2024
Источник: redhat
CVSS3: 8.8
EPSS Низкий

Описание

Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code. Users are recommended to upgrade to version 1.11.4  or 1.12.0, which fix this issue.

A vulnerability was found in Apache Avro. The project is affected and at risk if it accepts an org.apache.Avro/avroAvro schema for parsing provided by an end user. This flaw allows an attacker to trigger remote code execution by using the special "java-class" attribute.

Отчет

The Red Hat build of Apache Camel K 1.10 was rated Important as it allows users to provide an Avro schema for parsing. Note that this functionality is limited to authenticated users. Red Hat Single Sign-On 7 ships the affected component in its maven repository but does not use it in the product. As such it is affected but not vulnerable to the flaw, and is assessed at Moderate security impact.

Меры по смягчению последствий

  1. Avoid parsing user-provided schemas.
  2. Ensure proper input validation and sanitization of schemas before parsing.
  3. Monitor systems for any unusual activities that may indicate exploitation attempts.
  4. Apply the principle of least privilege to minimize the potential impact of successful exploits.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
A-MQ Clients 2org.apache.avro/avroNot affected
Logging Subsystem for Red Hat OpenShiftorg.elasticsearch-elasticsearchNot affected
Red Hat build of Apache Camel for Spring Boot 3org.apache.avro/avroOut of support scope
Red Hat build of Debezium 2org.apache.avro/avroNot affected
Red Hat Build of Keycloakorg.apache.avro/avroNot affected
Red Hat Data Grid 8org.apache.avro/avroNot affected
Red Hat Fuse 7org.apache.avro/avroWill not fix
Red Hat JBoss Data Grid 7org.apache.avro/avroNot affected
Red Hat JBoss Enterprise Application Platform 8avroNot affected
Red Hat Single Sign-On 7org.apache.avro/avroWill not fix

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Critical
Дефект:
CWE-502
https://bugzilla.redhat.com/show_bug.cgi?id=2316116apache-avro: Schema parsing may trigger Remote Code Execution (RCE)

EPSS

Процентиль: 67%
0.00543
Низкий

8.8 High

CVSS3

Связанные уязвимости

nvd логотип

CVE-2024-47561

CVSS3: 7.3
nvd
больше 1 года назад

Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code. Users are recommended to upgrade to version 1.11.4  or 1.12.0, which fix this issue.

github логотип

GHSA-r7pg-v2c8-mfg3

CVSS3: 9.8
github
больше 1 года назад

Apache Avro Java SDK: Arbitrary Code Execution when reading Avro Data (Java SDK)

fstec логотип

BDU:2024-07817

CVSS3: 7.3
fstec
больше 1 года назад

Уязвимость библиотеки сериализации данных Apache Avro связана с недостатками механизма десериализации. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, выполнить произвольный код путём внедрения специально сформированной схемы данных

EPSS

Процентиль: 67%
0.00543
Низкий

8.8 High

CVSS3