High severityNVD Advisory· Published Sep 29, 2023· Updated Feb 13, 2025
Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK
CVE-2023-39410
Description
When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.
This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.avro:avroMaven | < 1.11.3 | 1.11.3 |
Affected products
16- osv-coords15 versionspkg:apk/chainguard/celeborn-0.6pkg:apk/chainguard/druidpkg:apk/chainguard/tezpkg:apk/chainguard/wavefront-proxypkg:apk/chainguard/wavefront-proxy-compatpkg:apk/chainguard/wavefront-proxy-configpkg:apk/chainguard/wavefront-proxy-licensespkg:apk/wolfi/celeborn-0.6pkg:apk/wolfi/druidpkg:apk/wolfi/tezpkg:apk/wolfi/wavefront-proxypkg:apk/wolfi/wavefront-proxy-compatpkg:apk/wolfi/wavefront-proxy-configpkg:apk/wolfi/wavefront-proxy-licensespkg:maven/org.apache.avro/avro
< 0.6.3-r7+ 14 more
- (no CPE)range: < 0.6.3-r7
- (no CPE)range: < 37.0.0-r14
- (no CPE)range: < 0.10.4-r8
- (no CPE)range: < 13.3-r1
- (no CPE)range: < 13.3-r1
- (no CPE)range: < 13.3-r1
- (no CPE)range: < 13.3-r1
- (no CPE)range: < 0.6.3-r7
- (no CPE)range: < 37.0.0-r14
- (no CPE)range: < 0.10.4-r8
- (no CPE)range: < 13.3-r1
- (no CPE)range: < 13.3-r1
- (no CPE)range: < 13.3-r1
- (no CPE)range: < 13.3-r1
- (no CPE)range: < 1.11.3
- Range: 0
Patches
Vulnerability mechanics
References
10- github.com/advisories/GHSA-rhrv-645h-fjfhghsaADVISORY
- lists.apache.org/thread/q142wj99cwdd0jo5lvdoxzoymlqyjddsghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-39410ghsaADVISORY
- www.openwall.com/lists/oss-security/2023/09/29/6ghsaWEB
- github.com/apache/avro/commit/a12a7e44ddbe060c3dc731863cad5c15f9267828ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/avro/PYSEC-2023-188.yamlghsaWEB
- issues.apache.org/jira/browse/AVRO-3819ghsaWEB
- security.netapp.com/advisory/ntap-20240621-0006ghsaWEB
- www.openwall.com/lists/oss-security/2023/09/29/6ghsaWEB
- security.netapp.com/advisory/ntap-20240621-0006/mitre
News mentions
0No linked articles in our index yet.