{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-47561", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-09-27T07:06:47.522Z", "datePublished": "2024-10-03T10:23:16.214Z", "dateUpdated": "2024-10-21T08:51:22.972Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.avro:avro", "product": "Apache Avro Java SDK", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "1.11.4", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Kostya Kortchinsky, from the Databricks Security Team"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code.<br>Users are recommended to upgrade to version 1.11.4&nbsp; or 1.12.0, which fix this issue."}], "value": "Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code.\nUsers are recommended to upgrade to version 1.11.4\u00a0 or 1.12.0, which fix this issue."}], "metrics": [{"other": {"content": {"text": "critical"}, "type": "Textual description of severity"}}, {"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 9.2, "baseSeverity": "CRITICAL", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-10-21T08:51:22.972Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/c2v7mhqnmq0jmbwxqq3r5jbj1xg43h5x"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Avro Java SDK: Arbitrary Code Execution when reading Avro schema (Java SDK)", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/10/03/1"}, {"url": "https://security.netapp.com/advisory/ntap-20241011-0003/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-10-11T22:03:16.050Z"}}, {"affected": [{"vendor": "apache", "product": "avro", "cpes": ["cpe:2.3:a:apache:avro:-:*:*:*:*:-:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.11.4", "versionType": "semver"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-10-03T18:53:44.038603Z", "id": "CVE-2024-47561", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-03T18:59:41.415Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/10/03/1"}, {"url": "https://security.netapp.com/advisory/ntap-20241011-0003/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-10-11T22:03:16.050Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-47561", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-10-03T18:53:44.038603Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:apache:avro:-:*:*:*:*:-:*:*"], "vendor": "apache", "product": "avro", "versions": [{"status": "affected", "version": "0", "lessThan": "1.11.4", "versionType": "semver"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-03T18:55:37.785Z"}}], "cna": {"title": "Apache Avro Java SDK: Arbitrary Code Execution when reading Avro schema (Java SDK)", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Kostya Kortchinsky, from the Databricks Security Team"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "critical"}}}, {"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Avro Java SDK", "versions": [{"status": "affected", "version": "0", "lessThan": "1.11.4", "versionType": "semver"}], "packageName": "org.apache.avro:avro", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/c2v7mhqnmq0jmbwxqq3r5jbj1xg43h5x", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code.\nUsers are recommended to upgrade to version 1.11.4\u00a0 or 1.12.0, which fix this issue.", "supportingMedia": [{"type": "text/html", "value": "Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code.<br>Users are recommended to upgrade to version 1.11.4&nbsp; or 1.12.0, which fix this issue.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-10-21T08:51:22.972Z"}}}, "cveMetadata": {"cveId": "CVE-2024-47561", "state": "PUBLISHED", "dateUpdated": "2024-10-21T08:51:22.972Z", "dateReserved": "2024-09-27T07:06:47.522Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2024-10-03T10:23:16.214Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code.\nUsers are recommended to upgrade to version 1.11.4\u00a0 or 1.12.0, which fix this issue."}, {"lang": "es", "value": "El an\u00e1lisis de esquemas en el SDK de Java de Apache Avro 1.11.3 y versiones anteriores permite que actores maliciosos ejecuten c\u00f3digo arbitrario. Se recomienda a los usuarios actualizar a la versi\u00f3n 1.11.4 o 1.12.0, que solucionan este problema."}], "id": "CVE-2024-47561", "lastModified": "2024-10-21T09:15:02.627", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 9.2, "baseSeverity": "CRITICAL", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "HIGH", "vulnerableSystemConfidentiality": "HIGH", "vulnerableSystemIntegrity": "HIGH"}, "source": "security@apache.org", "type": "Secondary"}]}, "published": "2024-10-03T11:15:13.510", "references": [{"source": "security@apache.org", "url": "https://lists.apache.org/thread/c2v7mhqnmq0jmbwxqq3r5jbj1xg43h5x"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security@apache.org", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:8064", "cpe": "cpe:/a:redhat:apache_camel_spring_boot:4.4.3", "package": "org.apache.avro/avro", "product_name": "Red Hat build of Apache Camel 4.4.3 for Spring Boot", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:7972", "cpe": "cpe:/a:redhat:camel_quarkus:3.8", "package": "org.apache.avro/avro", "product_name": "Red Hat build of Apache Camel for Quarkus", "release_date": "2024-10-10T00:00:00Z"}, {"advisory": "RHSA-2024:7861", "cpe": "cpe:/a:redhat:apicurio_registry:2.6", "package": "org.apache.avro/avro", "product_name": "Red Hat build of Apicurio Registry 2.6.5 GA", "release_date": "2024-10-09T00:00:00Z"}, {"advisory": "RHSA-2024:7812", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package": "org.apache.avro/avro", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2024-10-08T00:00:00Z"}, {"advisory": "RHSA-2024:8093", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2024-10-14T00:00:00Z"}, {"advisory": "RHSA-2024:7811", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-avro-0:1.11.4-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-10-08T00:00:00Z"}, {"advisory": "RHSA-2024:7811", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-avro-0:1.11.4-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-10-08T00:00:00Z"}, {"advisory": "RHSA-2024:7811", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-avro-0:1.11.4-1.redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2024-10-08T00:00:00Z"}, {"advisory": "RHSA-2024:8339", "cpe": "cpe:/a:redhat:camel_k:1.10.8", "impact": "important", "package": "org.apache.avro/avro", "product_name": "RHINT Camel-K 1.10.8", "release_date": "2024-10-22T00:00:00Z"}], "bugzilla": {"description": "apache-avro: Schema parsing may trigger Remote Code Execution (RCE)", "id": "2316116", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316116"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-502", "details": ["Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code.\nUsers are recommended to upgrade to version 1.11.4\u00a0 or 1.12.0, which fix this issue.", "A vulnerability was found in Apache Avro. The project is affected and at risk if it accepts an org.apache.Avro/avroAvro schema for parsing provided by an end user. This flaw allows an attacker to trigger remote code execution by using the special \"java-class\" attribute."], "mitigation": {"lang": "en:us", "value": "1. Avoid parsing user-provided schemas.\n2. Ensure proper input validation and sanitization of schemas before parsing.\n3. Monitor systems for any unusual activities that may indicate exploitation attempts.\n4. Apply the principle of least privilege to minimize the potential impact of successful exploits."}, "name": "CVE-2024-47561", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Not affected", "package_name": "org.apache.avro/avro", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "org.elasticsearch-elasticsearch", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Out of support scope", "package_name": "org.apache.avro/avro", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:debezium:2", "fix_state": "Not affected", "package_name": "org.apache.avro/avro", "product_name": "Red Hat build of Debezium"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Not affected", "package_name": "org.apache.avro/avro", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Affected", "package_name": "org.apache.avro/avro", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "org.apache.avro/avro", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "impact": "important", "package_name": "org.apache.avro/avro", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Not affected", "package_name": "org.apache.avro/avro", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "org.apache.avro/avro", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "org.apache.avro/avro", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "impact": "moderate", "package_name": "org.apache.avro/avro", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2024-10-03T12:20:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-47561\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-47561"], "statement": "The Red Hat build of Apache Camel K 1.10 was rated Important as it allows users to provide an Avro schema for parsing. Note that this functionality is limited to authenticated users.\nRed Hat Single Sign-On 7 ships the affected component in its maven repository but does not use it in the product. As such it is affected but not vulnerable to the flaw, and is assessed at Moderate security impact.", "threat_severity": "Critical"}