Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
CVE-2023-37475
Good to know:
Date: July 17, 2023
Hamba avro is a go lang encoder/decoder implementation of the avro codec specification. In affected versions a well-crafted string passed to avro's "github.com/hamba/avro/v2.Unmarshal()" can throw a "fatal error: runtime: out of memory" which is unrecoverable and can cause denial of service of the consumer of avro. The root cause of the issue is that avro uses part of the input to "Unmarshal()" to determine the size when creating a new slice and hence an attacker may consume arbitrary amounts of memory which in turn may cause the application to crash. This issue has been addressed in commit "b4a402f4" which has been included in release version "2.13.0". Users are advised to upgrade. There are no known workarounds for this vulnerability.
Language: Go
Severity Score
Related Resources (8)
Severity Score
Weakness Type (CWE)
Uncontrolled Resource Consumption
CWE-400Top Fix
Upgrade Version
Upgrade to version github.com/hamba/avro - v2.13.0;github.com/hamba/avro/v2 - v2.13.0
CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | NETWORK |
| Attack Complexity (AC): | LOW |
| Privileges Required (PR): | NONE |
| User Interaction (UI): | NONE |
| Scope (S): | UNCHANGED |
| Confidentiality (C): | NONE |
| Integrity (I): | NONE |
| Availability (A): | HIGH |