CVE-2023-39410
Summary
| CVE | CVE-2023-39410 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-09-29 17:15:00 UTC |
| Updated | 2023-10-06 17:58:00 UTC |
| Description | When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue. |
Risk And Classification
Problem Types: CWE-502
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| lists.apache.org/thread/q142wj99cwdd0jo5lvdoxzoymlqyjdds | MISC | lists.apache.org | |
| oss-security - CVE-2023-39410: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK | MISC | www.openwall.com | |
| oss-security - CVE-2023-39410: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK | MISC | www.openwall.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 242565 Red Hat Update for JBoss Enterprise Application Platform 7.4.1 on RHEL 7 (RHSA-2023:7637)
- 379452 IBM Cognos Analytics Multiple Vulnerabilities (7123154)
- 731169 Atlassian Confluence Data Center and Server Security Update (CONFSERVER-94108)
- 731306 Atlassian Jira Software Data Center and Server Denial of Service (DoS) Vulnerability (JSWSERVER-25836)
- 995479 Java (Maven) Security Update for org.apache.avro:avro (GHSA-rhrv-645h-fjfh)
- 995512 Python (Pip) Security Update for avro (GHSA-rhrv-645h-fjfh)