CVE-2023-39410

CWE-502Deserialization of Untrusted DataCWE-20Improper Input Validation11 documents7 sources
Severity
7.5HIGH
EPSS
0.1%
top 81.02%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache Avro Java SDKApache Avro
Timeline
PublishedSep 29
Latest updateApr 15

Description

When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

NVDapache/avro< 1.11.3
Mavenorg.apache.avro:avro< 1.11.3
PyPIavro< 1.11.3

🔴Vulnerability Details

4
OSV
CVE-2023-39410: When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of m2023-09-29
GHSA
Apache Avro Java SDK vulnerable to Improper Input Validation2023-09-29
OSV
Apache Avro Java SDK vulnerable to Improper Input Validation2023-09-29
CVEList
Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK2023-09-29

📋Vendor Advisories

6
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: IDM Authentication (Apache Avro) — CVE-2023-394102025-04-15
Oracle
Oracle Oracle Financial Services Applications Risk Matrix: Base (Apache Avro) — CVE-2023-394102025-01-15
Oracle
Oracle Oracle GoldenGate Risk Matrix: Spark (Apache Avro Java) — CVE-2023-394102024-10-15
Atlassian
CVE-2023-39410: DoS (Denial of Service) org.apache.avro:avro Dependency in Bamboo Data Center and Server2024-01-16
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: BPM Composer (Apache Avro) — CVE-2023-394102024-01-15
CVE-2023-39410 (HIGH CVSS 7.5) | When deserializing untrusted or cor | cvebase.io