CVE-2022-36124

CWE-770Allocation without Limits4 documents4 sources
Severity
7.5HIGH
EPSS
3.0%
top 13.53%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache AvroApache Avro
Timeline
PublishedAug 9
Latest updateAug 10

Description

It is possible for a Reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version 0.14.0 which addresses this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDapache/avro< 0.14.0
crates.ioapache-avro< 0.14.0
CVEListV5apache_software_foundation/apache_avrounspecified0.14.0

🔴Vulnerability Details

3
OSV
Apache Avro Rust SDK's Reader could consume memory beyond allowed constraints2022-08-10
GHSA
Apache Avro Rust SDK's Reader could consume memory beyond allowed constraints2022-08-10
CVEList
Memory overconsumption in Avro Rust SDK2022-08-09
CVE-2022-36124 (HIGH CVSS 7.5) | It is possible for a Reader to cons | cvebase.io