CVE-2023-37475 - Vulnerability Details - OpenCVE

Hamba avro is a go lang encoder/decoder implementation of the avro codec specification. In affected versions a well-crafted string passed to avro's `github.com/hamba/avro/v2.Unmarshal()` can throw a `fatal error: runtime: out of memory` which is unrecoverable and can cause denial of service of the consumer of avro. The root cause of the issue is that avro uses part of the input to `Unmarshal()` to determine the size when creating a new slice and hence an attacker may consume arbitrary amounts of memory which in turn may cause the application to crash. This issue has been addressed in commit `b4a402f4` which has been included in release version `2.13.0`. Users are advised to upgrade. There are no known workarounds for this vulnerability.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00285.

Exploitation poc

Automatable yes

Technical Impact partial

Vendors	Products
Avro Project	Avro

Configuration 1 [-]

cpe:2.3:a:avro_project:avro:*:*:*:*:*:go:*:*

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/hamba/avro/commit/b4a402f41cf44b6094b5131286830ba9bb1eb290
https://github.com/hamba/avro/security/advisories/GHSA-9x44-9pgq-cf45

History

Fri, 18 Oct 2024 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-07-17T16:36:23.546Z

Updated: 2024-10-18T17:38:36.924Z

Reserved: 2023-07-06T13:01:36.999Z

Link: CVE-2023-37475

Vulnrichment

Updated: 2024-08-02T17:16:30.172Z

NVD

Status : Modified

Published: 2023-07-17T17:15:10.127

Modified: 2024-11-21T08:11:47.353

Link: CVE-2023-37475

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-37475", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-07-06T13:01:36.999Z", "datePublished": "2023-07-17T16:36:23.546Z", "dateUpdated": "2024-10-18T17:38:36.924Z"}, "containers": {"cna": {"title": "Attacker-controlled parameter can cause denial of service in hamba avro", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/hamba/avro/security/advisories/GHSA-9x44-9pgq-cf45", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/hamba/avro/security/advisories/GHSA-9x44-9pgq-cf45"}, {"name": "https://github.com/hamba/avro/commit/b4a402f41cf44b6094b5131286830ba9bb1eb290", "tags": ["x_refsource_MISC"], "url": "https://github.com/hamba/avro/commit/b4a402f41cf44b6094b5131286830ba9bb1eb290"}], "affected": [{"vendor": "hamba", "product": "avro", "versions": [{"version": "< 2.13.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-07-17T16:36:23.546Z"}, "descriptions": [{"lang": "en", "value": "Hamba avro is a go lang encoder/decoder implementation of the avro codec specification. In affected versions a well-crafted string passed to avro's `github.com/hamba/avro/v2.Unmarshal()` can throw a `fatal error: runtime: out of memory` which is unrecoverable and can cause denial of service of the consumer of avro. The root cause of the issue is that avro uses part of the input to `Unmarshal()` to determine the size when creating a new slice and hence an attacker may consume arbitrary amounts of memory which in turn may cause the application to crash. This issue has been addressed in commit `b4a402f4` which has been included in release version `2.13.0`. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-9x44-9pgq-cf45", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:16:30.172Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/hamba/avro/security/advisories/GHSA-9x44-9pgq-cf45", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/hamba/avro/security/advisories/GHSA-9x44-9pgq-cf45"}, {"name": "https://github.com/hamba/avro/commit/b4a402f41cf44b6094b5131286830ba9bb1eb290", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/hamba/avro/commit/b4a402f41cf44b6094b5131286830ba9bb1eb290"}]}, {"affected": [{"vendor": "avro_project", "product": "avro", "cpes": ["cpe:2.3:a:avro_project:avro:*:*:*:*:*:go:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2.13.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-18T17:29:12.659543Z", "id": "CVE-2023-37475", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-18T17:38:36.924Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/hamba/avro/security/advisories/GHSA-9x44-9pgq-cf45", "name": "https://github.com/hamba/avro/security/advisories/GHSA-9x44-9pgq-cf45", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/hamba/avro/commit/b4a402f41cf44b6094b5131286830ba9bb1eb290", "name": "https://github.com/hamba/avro/commit/b4a402f41cf44b6094b5131286830ba9bb1eb290", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:16:30.172Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-37475", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-18T17:29:12.659543Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:avro_project:avro:*:*:*:*:*:go:*:*"], "vendor": "avro_project", "product": "avro", "versions": [{"status": "affected", "version": "0", "lessThan": "2.13.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-18T17:38:31.317Z"}}], "cna": {"title": "Attacker-controlled parameter can cause denial of service in hamba avro", "source": {"advisory": "GHSA-9x44-9pgq-cf45", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "hamba", "product": "avro", "versions": [{"status": "affected", "version": "< 2.13.0"}]}], "references": [{"url": "https://github.com/hamba/avro/security/advisories/GHSA-9x44-9pgq-cf45", "name": "https://github.com/hamba/avro/security/advisories/GHSA-9x44-9pgq-cf45", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/hamba/avro/commit/b4a402f41cf44b6094b5131286830ba9bb1eb290", "name": "https://github.com/hamba/avro/commit/b4a402f41cf44b6094b5131286830ba9bb1eb290", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Hamba avro is a go lang encoder/decoder implementation of the avro codec specification. In affected versions a well-crafted string passed to avro's `github.com/hamba/avro/v2.Unmarshal()` can throw a `fatal error: runtime: out of memory` which is unrecoverable and can cause denial of service of the consumer of avro. The root cause of the issue is that avro uses part of the input to `Unmarshal()` to determine the size when creating a new slice and hence an attacker may consume arbitrary amounts of memory which in turn may cause the application to crash. This issue has been addressed in commit `b4a402f4` which has been included in release version `2.13.0`. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-07-17T16:36:23.546Z"}}}, "cveMetadata": {"cveId": "CVE-2023-37475", "state": "PUBLISHED", "dateUpdated": "2024-10-18T17:38:36.924Z", "dateReserved": "2023-07-06T13:01:36.999Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-07-17T16:36:23.546Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:avro_project:avro:*:*:*:*:*:go:*:*", "matchCriteriaId": "5AC3910F-0EB5-45EE-B590-FE81DEE4ED39", "versionEndExcluding": "2.13.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Hamba avro is a go lang encoder/decoder implementation of the avro codec specification. In affected versions a well-crafted string passed to avro's `github.com/hamba/avro/v2.Unmarshal()` can throw a `fatal error: runtime: out of memory` which is unrecoverable and can cause denial of service of the consumer of avro. The root cause of the issue is that avro uses part of the input to `Unmarshal()` to determine the size when creating a new slice and hence an attacker may consume arbitrary amounts of memory which in turn may cause the application to crash. This issue has been addressed in commit `b4a402f4` which has been included in release version `2.13.0`. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "id": "CVE-2023-37475", "lastModified": "2024-11-21T08:11:47.353", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-07-17T17:15:10.127", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/hamba/avro/commit/b4a402f41cf44b6094b5131286830ba9bb1eb290"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/hamba/avro/security/advisories/GHSA-9x44-9pgq-cf45"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/hamba/avro/commit/b4a402f41cf44b6094b5131286830ba9bb1eb290"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/hamba/avro/security/advisories/GHSA-9x44-9pgq-cf45"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}]}