Apache Avro Java SDK <=1.11.2: Deserialization OOB Read/OOM
CVE-2023-39410 Published on September 29, 2023
Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK
When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.
This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue.
Weakness Type
What is a Marshaling, Unmarshaling Vulnerability?
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CVE-2023-39410 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.
Products Associated with CVE-2023-39410
stack.watch emails you whenever new vulnerabilities are published in Apache Avro or Oracle. Just hit a watch button to start following.
Affected Versions
Apache Software Foundation Apache Avro Java SDK:- Before 1.11.3 is affected.
- Before 1.11.3 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.