Avro
CVE-2022-36124
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1Blast Radius
ecosystem impact- 18 cargo packages depend on apache-avro (14 direct, 4 indirect)
Ecosystem-wide dependent count for version 0.14.0.
DescriptionNVD
It is possible for a Reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version 0.14.0 which addresses this issue.
AnalysisAI
It is possible for a Reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.14.0 (previously known as avro-rs). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.
Technical ContextAI
This vulnerability is classified as Allocation of Resources Without Limits (CWE-770), which allows attackers to exhaust system resources through uncontrolled allocation. It is possible for a Reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.14.0 (previously known as avro-rs). Users should update to apache-avro version 0.14.0 which addresses this issue. Affected products include: Apache Avro. Version information: prior to 0.14.0.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Set resource limits, implement rate limiting, validate input sizes.
Hamba avro is a go lang encoder/decoder implementation of the avro codec specification. Rated high severity (CVSS 7.5),
Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code.
When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constra
It is possible to crash (panic) an application by providing a corrupted data to be read.14.0 (previously known as avro-r
It is possible to provide data to be read that leads the reader to loop in cycles endlessly, consuming CPU.14.0 (previou
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today