{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2023-39410", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-07-31T17:55:21.702Z", "datePublished": "2023-09-29T16:23:34.021Z", "dateUpdated": "2024-08-02T18:10:20.868Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Avro Java SDK", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "1.11.3", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Adam Korczynski at ADA Logics Ltd"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.</div><div><br></div><div>This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue.</div><div><br></div>"}], "value": "When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.\n\nThis issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue.\n\n"}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-10-04T08:08:25.791Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/q142wj99cwdd0jo5lvdoxzoymlqyjdds"}, {"url": "https://www.openwall.com/lists/oss-security/2023/09/29/6"}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0006/"}], "source": {"defect": ["AVRO-3819"], "discovery": "EXTERNAL"}, "title": "Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"affected": [{"vendor": "apache", "product": "avro", "cpes": ["cpe:2.3:a:apache:avro:-:*:*:*:*:rust:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.11.3", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-26T19:07:20.270770Z", "id": "CVE-2023-39410", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-26T19:09:26.935Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:10:20.868Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/q142wj99cwdd0jo5lvdoxzoymlqyjdds"}, {"url": "https://www.openwall.com/lists/oss-security/2023/09/29/6", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0006/", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.apache.org/thread/q142wj99cwdd0jo5lvdoxzoymlqyjdds", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://www.openwall.com/lists/oss-security/2023/09/29/6", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0006/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:10:20.868Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-39410", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-26T19:07:20.270770Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:apache:avro:-:*:*:*:*:rust:*:*"], "vendor": "apache", "product": "avro", "versions": [{"status": "affected", "version": "0", "lessThan": "1.11.3", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-26T19:09:11.820Z"}}], "cna": {"title": "Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK", "source": {"defect": ["AVRO-3819"], "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Adam Korczynski at ADA Logics Ltd"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "low"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Avro Java SDK", "versions": [{"status": "affected", "version": "0", "lessThan": "1.11.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/q142wj99cwdd0jo5lvdoxzoymlqyjdds", "tags": ["vendor-advisory"]}, {"url": "https://www.openwall.com/lists/oss-security/2023/09/29/6"}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0006/"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.\n\nThis issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue.\n\n", "supportingMedia": [{"type": "text/html", "value": "<div>When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.</div><div><br></div><div>This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue.</div><div><br></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-10-04T08:08:25.791Z"}}}, "cveMetadata": {"cveId": "CVE-2023-39410", "state": "PUBLISHED", "dateUpdated": "2024-08-02T18:10:20.868Z", "dateReserved": "2023-07-31T17:55:21.702Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2023-09-29T16:23:34.021Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:avro:*:*:*:*:*:-:*:*", "matchCriteriaId": "3FD3A974-85E9-48F7-A946-57679CE29859", "versionEndExcluding": "1.11.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.\n\nThis issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue.\n\n"}, {"lang": "es", "value": "Al deserializar datos corruptos o que no son de confianza, es posible que un lector consuma memoria m\u00e1s all\u00e1 de las restricciones permitidas y, por lo tanto, provoque una falta de memoria en el sistema. Este problema afecta a las aplicaciones Java que utilizan Apache Avro Java SDK hasta la versi\u00f3n 1.11.2 incluida. Los usuarios deben actualizar a la versi\u00f3n 1.11.3 de Apache-avro, que soluciona este problema."}], "id": "CVE-2023-39410", "lastModified": "2024-06-21T19:15:27.883", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-09-29T17:15:46.923", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/q142wj99cwdd0jo5lvdoxzoymlqyjdds"}, {"source": "security@apache.org", "url": "https://security.netapp.com/advisory/ntap-20240621-0006/"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2023/09/29/6"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security@apache.org", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:7641", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package": "avro", "product_name": "EAP 7.4.14", "release_date": "2023-12-04T00:00:00Z"}, {"advisory": "RHSA-2023:7617", "cpe": "cpe:/a:redhat:camel_quarkus:3.2.0", "product_name": "Red Hat build of Apache Camel for Quarkus", "release_date": "2023-11-30T00:00:00Z"}, {"advisory": "RHSA-2023:7700", "cpe": "cpe:/a:redhat:quarkus:2.13::el8", "package": "org.apache.avro/avro:1.11.3.redhat-00002", "product_name": "Red Hat build of Quarkus 2.13.9.Final", "release_date": "2023-12-07T00:00:00Z"}, {"advisory": "RHSA-2023:7612", "cpe": "cpe:/a:redhat:quarkus:3.2::el8", "package": "org.apache.avro/avro:1.11.3.redhat-00002", "product_name": "Red Hat build of Quarkus 3.2.9.Final", "release_date": "2023-11-30T00:00:00Z"}, {"advisory": "RHSA-2023:7247", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "avro", "product_name": "Red Hat Fuse 7.12.1", "release_date": "2023-11-15T00:00:00Z"}, {"advisory": "RHSA-2024:3354", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "avro", "product_name": "Red Hat Fuse 7.13.0", "release_date": "2024-05-23T00:00:00Z"}, {"advisory": "RHSA-2023:7638", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-avro-0:1.11.3-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2023-12-04T00:00:00Z"}, {"advisory": "RHSA-2023:7639", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-avro-0:1.11.3-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2023-12-04T00:00:00Z"}, {"advisory": "RHSA-2023:7637", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-avro-0:1.11.3-1.redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2023-12-04T00:00:00Z"}], "bugzilla": {"description": "apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK", "id": "2242521", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242521"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-502", "details": ["When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.\nThis issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue.", "A flaw was found in apache-avro. When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints, leading to an out-of-memory error and a denial of service on the system."], "name": "CVE-2023-39410", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Not affected", "package_name": "avro", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/elasticsearch6-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Will not fix", "package_name": "avro", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Affected", "package_name": "avro", "product_name": "Red Hat build of Apicurio Registry"}, {"cpe": "cpe:/a:redhat:debezium:2", "fix_state": "Will not fix", "package_name": "avro", "product_name": "Red Hat build of Debezium"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "avro", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "log4j:2/log4j", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "log4j", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "avro", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:camel_quarkus:2", "fix_state": "Affected", "package_name": "avro", "product_name": "Red Hat Integration Camel Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "avro", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Out of support scope", "package_name": "avro", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "keycloak-adapter-sso7_5-eap6", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "avro", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "avro", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "avro", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "package_name": "avro", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Out of support scope", "package_name": "avro", "product_name": "streams for Apache Kafka"}], "public_date": "2023-09-29T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-39410\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-39410\nhttps://issues.apache.org/jira/browse/AVRO-3819"], "threat_severity": "Important", "upstream_fix": "apache-avro 1.11.3"}