Avro
CVE-2022-36125
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1Blast Radius
ecosystem impact- 18 cargo packages depend on apache-avro (14 direct, 4 indirect)
Ecosystem-wide dependent count for version 0.14.0.
DescriptionNVD
It is possible to crash (panic) an application by providing a corrupted data to be read. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version 0.14.0 which addresses this issue.
AnalysisAI
It is possible to crash (panic) an application by providing a corrupted data to be read.14.0 (previously known as avro-rs). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-20. It is possible to crash (panic) an application by providing a corrupted data to be read.14.0 (previously known as avro-rs). Users should update to apache-avro version 0.14.0 which addresses this issue. Affected products include: Apache Avro. Version information: prior to 0.14.0.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Hamba avro is a go lang encoder/decoder implementation of the avro codec specification. Rated high severity (CVSS 7.5),
Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code.
It is possible for a Reader to consume memory beyond the allowed constraints and thus lead to out of memory on the syste
When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constra
It is possible to provide data to be read that leads the reader to loop in cycles endlessly, consuming CPU.14.0 (previou
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific
Same weakness CWE-20 – Improper Input Validation
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today