CVE-2023-39410
HIGHApache Avro <= 1.11.2 - Denial of Service via Memory Exhaustion in Data Deserialization
Title source: llmDescription
When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue.
References (3)
Core 3
Core References
Mailing List, Third Party Advisory
https://www.openwall.com/lists/oss-security/2023/09/29/6
Vendor Advisory
https://security.netapp.com/advisory/ntap-20240621-0006/
Mailing List, Vendor Advisory vendor-advisory
https://lists.apache.org/thread/q142wj99cwdd0jo5lvdoxzoymlqyjdds
Scores
CVSS v3
7.5
EPSS
0.0009
EPSS Percentile
26.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-502
Status
published
Products (2)
apache/avro
< 1.11.3
org.apache.avro/avro
0 - 1.11.3Maven
Published
Sep 29, 2023
Tracked Since
Feb 18, 2026