When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.
This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue.
References
| Link | Resource |
|---|---|
| https://lists.apache.org/thread/q142wj99cwdd0jo5lvdoxzoymlqyjdds | Mailing List Vendor Advisory |
| https://www.openwall.com/lists/oss-security/2023/09/29/6 | Mailing List Third Party Advisory |
Configurations
History
06 Oct 2023, 17:58
| Type | Values Removed | Values Added |
|---|---|---|
| References | (MISC) https://www.openwall.com/lists/oss-security/2023/09/29/6 - Mailing List, Third Party Advisory |
04 Oct 2023, 09:15
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
|
03 Oct 2023, 20:00
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Apache
Apache avro |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
| CWE | CWE-502 | |
| CPE | cpe:2.3:a:apache:avro:*:*:*:*:*:-:*:* | |
| References | (MISC) http://www.openwall.com/lists/oss-security/2023/09/29/6 - Mailing List, Third Party Advisory | |
| References | (MISC) https://lists.apache.org/thread/q142wj99cwdd0jo5lvdoxzoymlqyjdds - Mailing List, Vendor Advisory |
29 Sep 2023, 18:15
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
29 Sep 2023, 17:27
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2023-09-29 17:15
Updated : 2023-12-10 15:14
NVD link : CVE-2023-39410
Mitre link : CVE-2023-39410
CVE.ORG link : CVE-2023-39410
JSON object : View
Products Affected
apache
- avro
CWE
CWE-502
Deserialization of Untrusted Data