CVE-2023-39410

HIGH

Apache Avro < 1.11.3 - Insecure Deserialization

Title source: rule

Description

When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue.

References (3)

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/q142wj99cwdd0jo5lvdoxzoymlqyjdds

[Mailing List, Third Party Advisory] https://www.openwall.com/lists/oss-security/2023/09/29/6

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20240621-0006/

Scores

CVSS v3 7.5

EPSS 0.0006

EPSS Percentile 18.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-502

Status published

Affected Products (2)

apache/avro < 1.11.3

org.apache.avro/avro < 1.11.3Maven

Timeline

Published Sep 29, 2023

Tracked Since Feb 18, 2026