Home > Vulnerability Database > CVE-2023-39410

Mend.io Vulnerability Database

CVE-2023-39410

Good to know:

Date: September 29, 2023

When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue.

Language: Java

Severity Score

7.5

Related Resources (10)

Url: https://lists.apache.org/thread/q142wj99cwdd0jo5lvdoxzoymlqyjdds

Url: https://github.com/apache/avro

Url: http://www.openwall.com/lists/oss-security/2023/09/29/6

Url: https://www.openwall.com/lists/oss-security/2023/09/29/6

Url: https://github.com/pypa/advisory-database/tree/main/vulns/avro/PYSEC-2023-188.yaml

Url: https://security.netapp.com/advisory/ntap-20240621-0006

Url: https://security.netapp.com/advisory/ntap-20240621-0006/

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-39410

Url: https://github.com/apache/avro/commit/a12a7e44ddbe060c3dc731863cad5c15f9267828

Url: https://www.mend.io/vulnerability-database/CVE-2023-39410

Severity Score

7.5

Weakness Type (CWE)

Deserialization of Untrusted Data

CWE-502

Input Validation

CWE-20

Top Fix

Upgrade Version

Upgrade to version org.apache.avro:avro:1.11.3;org.apache.avro:avro-android:1.11.3;org.apache.avro:avro-tools:1.11.3;avro - 1.11.3

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-39410

Good to know:

Date: September 29, 2023

Language: Java

Severity Score

Related Resources (10)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?