Vulnerability Details : CVE-2023-39410
When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.
This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue.
Products affected by CVE-2023-39410
- cpe:2.3:a:apache:avro:*:*:*:*:*:-:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-39410
1.43%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 86 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-39410
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2023-39410
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: security@apache.org (Secondary)
-
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.Assigned by:
- nvd@nist.gov (Secondary)
- security@apache.org (Primary)
References for CVE-2023-39410
-
http://www.openwall.com/lists/oss-security/2023/09/29/6
oss-security - CVE-2023-39410: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDKMailing List;Third Party Advisory
-
https://lists.apache.org/thread/q142wj99cwdd0jo5lvdoxzoymlqyjdds
CVE-2023-39410: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK-Apache Mail ArchivesMailing List;Vendor Advisory
-
https://security.netapp.com/advisory/ntap-20240621-0006/
February 2024 IBM Cognos Analytics Vulnerabilities in NetApp Products | NetApp Product Security
-
https://www.openwall.com/lists/oss-security/2023/09/29/6
oss-security - CVE-2023-39410: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDKMailing List;Third Party Advisory
Jump to