CVE-2024-47561

CWE-502Deserialization of Untrusted Data9 documents7 sources
Severity
9.2CRITICAL
EPSS
0.7%
top 26.92%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache Avro Java SDKApache Avro
Timeline
PublishedOct 3
Latest updateJul 15

Description

Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code. Users are recommended to upgrade to version 1.11.4 or 1.12.0, which fix this issue.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

NVDapache/avro< 1.11.4
Mavenorg.apache.avro:avro< 1.11.4

🔴Vulnerability Details

3
CVEList
Apache Avro Java SDK: Arbitrary Code Execution when reading Avro schema (Java SDK)2024-10-03
OSV
Apache Avro Java SDK: Arbitrary Code Execution when reading Avro Data (Java SDK)2024-10-03
GHSA
Apache Avro Java SDK: Arbitrary Code Execution when reading Avro Data (Java SDK)2024-10-03

📋Vendor Advisories

5
Oracle
Oracle Oracle Hyperion Risk Matrix: Installation and Configuration (Apache Avro) — CVE-2024-475612025-07-15
Oracle
Oracle Oracle GoldenGate Risk Matrix: Stream Analytics (Apache Avro) — CVE-2024-475612025-04-15
Oracle
Oracle Oracle GoldenGate Risk Matrix: Java Delivery (Apache Avro) — CVE-2024-475612025-01-15
Atlassian
CVE-2024-47561: RCE (Remote Code Execution) org.apache.avro:avro Dependency in Bamboo Data Center and Server2024-11-19
Red Hat
apache-avro: Schema parsing may trigger Remote Code Execution (RCE)2024-10-03
CVE-2024-47561 (CRITICAL CVSS 9.2) | Schema parsing in the Java SDK of A | cvebase.io