{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-47561", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-09-27T07:06:47.522Z", "datePublished": "2024-10-03T10:23:16.214Z", "dateUpdated": "2024-10-03T18:59:41.415Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.avro:avro", "product": "Apache Avro Java SDK", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "1.11.4", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Kostya Kortchinsky, from the Databricks Security Team"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code.<br>Users are recommended to upgrade to version 1.11.4&nbsp; or 1.12.0, which fix this issue."}], "value": "Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code.\nUsers are recommended to upgrade to version 1.11.4\u00a0 or 1.12.0, which fix this issue."}], "metrics": [{"other": {"content": {"text": "critical"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-10-03T10:23:16.214Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/c2v7mhqnmq0jmbwxqq3r5jbj1xg43h5x"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Avro Java SDK: Arbitrary Code Execution when reading Avro schema (Java SDK)", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/10/03/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-10-03T18:03:29.779Z"}}, {"affected": [{"vendor": "apache", "product": "avro", "cpes": ["cpe:2.3:a:apache:avro:-:*:*:*:*:-:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.11.4", "versionType": "semver"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-10-03T18:53:44.038603Z", "id": "CVE-2024-47561", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-03T18:59:41.415Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/10/03/1"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-10-03T18:03:29.779Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-47561", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-10-03T18:53:44.038603Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:apache:avro:-:*:*:*:*:-:*:*"], "vendor": "apache", "product": "avro", "versions": [{"status": "affected", "version": "0", "lessThan": "1.11.4", "versionType": "semver"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-03T18:55:37.785Z"}}], "cna": {"title": "Apache Avro Java SDK: Arbitrary Code Execution when reading Avro schema (Java SDK)", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Kostya Kortchinsky, from the Databricks Security Team"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "critical"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Avro Java SDK", "versions": [{"status": "affected", "version": "0", "lessThan": "1.11.4", "versionType": "semver"}], "packageName": "org.apache.avro:avro", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/c2v7mhqnmq0jmbwxqq3r5jbj1xg43h5x", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code.\nUsers are recommended to upgrade to version 1.11.4\u00a0 or 1.12.0, which fix this issue.", "supportingMedia": [{"type": "text/html", "value": "Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code.<br>Users are recommended to upgrade to version 1.11.4&nbsp; or 1.12.0, which fix this issue.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-10-03T10:23:16.214Z"}}}, "cveMetadata": {"cveId": "CVE-2024-47561", "state": "PUBLISHED", "dateUpdated": "2024-10-03T18:59:41.415Z", "dateReserved": "2024-09-27T07:06:47.522Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2024-10-03T10:23:16.214Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code.\nUsers are recommended to upgrade to version 1.11.4\u00a0 or 1.12.0, which fix this issue."}, {"lang": "es", "value": "El an\u00e1lisis de esquemas en el SDK de Java de Apache Avro 1.11.3 y versiones anteriores permite que actores maliciosos ejecuten c\u00f3digo arbitrario. Se recomienda a los usuarios actualizar a la versi\u00f3n 1.11.4 o 1.12.0, que solucionan este problema."}], "id": "CVE-2024-47561", "lastModified": "2024-10-04T13:50:43.727", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-10-03T11:15:13.510", "references": [{"source": "security@apache.org", "url": "https://lists.apache.org/thread/c2v7mhqnmq0jmbwxqq3r5jbj1xg43h5x"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security@apache.org", "type": "Primary"}]}

{"bugzilla": {"description": "apache-avro: Schema parsing may trigger Remote Code Execution (RCE)", "id": "2316116", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316116"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-502", "details": ["Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code.\nUsers are recommended to upgrade to version 1.11.4\u00a0 or 1.12.0, which fix this issue.", "A vulnerability was found in Apache Avro. The project is affected and at risk if it accepts an org.apache.Avro/avroAvro schema for parsing provided by an end user. This flaw allows an attacker to trigger remote code execution by using the special \"java-class\" attribute."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-47561", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Not affected", "package_name": "org.apache.avro/avro", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "org.elasticsearch-elasticsearch", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:camel_quarkus:3", "fix_state": "Affected", "package_name": "org.apache.avro/avro", "product_name": "Red Hat build of Apache Camel for Quarkus"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Affected", "package_name": "org.apache.avro/avro", "product_name": "Red Hat build of Apache Camel for Spring Boot"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Affected", "package_name": "org.apache.avro/avro", "product_name": "Red Hat build of Apicurio Registry"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Not affected", "package_name": "org.apache.avro/avro", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:quarkus:3", "fix_state": "Affected", "package_name": "org.apache.avro/avro", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Affected", "package_name": "org.apache.avro/avro", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Affected", "impact": "important", "package_name": "org.apache.avro/avro", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:debezium:2", "fix_state": "Affected", "package_name": "org.apache.avro/avro", "product_name": "Red Hat Integration Change Data Capture"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Affected", "package_name": "org.apache.avro/avro", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Affected", "package_name": "org.apache.avro/avro", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "org.apache.avro/avro", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "org.apache.avro/avro", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Affected", "package_name": "org.apache.avro/avro", "product_name": "Red Hat JBoss Fuse 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Affected", "impact": "moderate", "package_name": "org.apache.avro/avro", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2024-10-03T12:20:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-47561\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-47561"], "statement": "The Red Hat build of Apache Camel K 1.10 was rated Important as it allows users to provide an Avro schema for parsing. Note that this functionality is limited to authenticated users.\nRed Hat Single Sign-On 7 ships the affected component in its maven repository but does not use it in the product. As such it is affected but not vulnerable to the flaw, and is assessed at Moderate security impact.", "threat_severity": "Critical"}