CVE-2023-37475

Published: Jul 17, 2023

Modified: Oct 18, 2024

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

Hamba avro is a go lang encoder/decoder implementation of the avro codec specification. In affected versions a well-crafted string passed to avro's `github.com/hamba/avro/v2.Unmarshal()` can throw a `fatal error: runtime: out of memory` which is unrecoverable and can cause denial of service of the consumer of avro. The root cause of the issue is that avro uses part of the input to `Unmarshal()` to determine the size when creating a new slice and hence an attacker may consume arbitrary amounts of memory which in turn may cause the application to crash. This issue has been addressed in commit `b4a402f4` which has been included in release version `2.13.0`. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Vendor	Product	Versions
hamba	avro	affected `< 2.13.0`

Weaknesses (CWE)

CWE-400

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://github.com/hamba/avro/security/advisories/GHSA-9x44-9pgq-cf45

x_refsource_CONFIRM

https://github.com/hamba/avro/commit/b4a402f41cf44b6094b5131286830ba9bb1eb290

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-37475

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References