Vulnerability Details : CVE-2023-37475
Potential exploit
Hamba avro is a go lang encoder/decoder implementation of the avro codec specification. In affected versions a well-crafted string passed to avro's `github.com/hamba/avro/v2.Unmarshal()` can throw a `fatal error: runtime: out of memory` which is unrecoverable and can cause denial of service of the consumer of avro. The root cause of the issue is that avro uses part of the input to `Unmarshal()` to determine the size when creating a new slice and hence an attacker may consume arbitrary amounts of memory which in turn may cause the application to crash. This issue has been addressed in commit `b4a402f4` which has been included in release version `2.13.0`. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Vulnerability category: Denial of service
Products affected by CVE-2023-37475
- cpe:2.3:a:avro_project:avro:*:*:*:*:*:go:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-37475
0.29%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 51 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-37475
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST | |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2023-37475
-
The product does not properly control the allocation and maintenance of a limited resource.Assigned by: security-advisories@github.com (Primary)
References for CVE-2023-37475
-
https://github.com/hamba/avro/security/advisories/GHSA-9x44-9pgq-cf45
Attacker-controlled parameter can cause DoS of avro · Advisory · hamba/avro · GitHubExploit;Vendor Advisory
-
https://github.com/hamba/avro/commit/b4a402f41cf44b6094b5131286830ba9bb1eb290
feat: add max byte slice size config (#273) · hamba/avro@b4a402f · GitHubPatch
Jump to