Vulnerability Details : CVE-2022-36125

It is possible to crash (panic) an application by providing a corrupted data to be read. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version 0.14.0 which addresses this issue.

Vulnerability category: OverflowInput validation

Published 2022-08-09 07:15:07

Updated 2022-08-12 14:35:05

Source Apache Software Foundation

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2022-36125

Probability of exploitation activity in the next 30 days: 0.12%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 44 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2022-36125

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	[email protected]
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2022-36125

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: [email protected] (Secondary)
CWE-190 Integer Overflow or Wraparound

The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.

Assigned by: [email protected] (Primary)

References for CVE-2022-36125

https://lists.apache.org/thread/t1r5xz0pvhm4tosqopjpj6dz8zlsht07

Mailing List;Vendor Advisory

Products affected by CVE-2022-36125

Apache » Avro » For Rust
Versions before (<) 0.14.0
cpe:2.3:a:apache:avro:*:*:*:*:*:rust:*:*
Matching versions