7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
21.0%
Hamba avro is a go lang encoder/decoder implementation of the avro codec specification. In affected versions a well-crafted string passed to avro’s github.com/hamba/avro/v2.Unmarshal()
can throw a fatal error: runtime: out of memory
which is unrecoverable and can cause denial of service of the consumer of avro. The root cause of the issue is that avro uses part of the input to Unmarshal()
to determine the size when creating a new slice and hence an attacker may consume arbitrary amounts of memory which in turn may cause the application to crash. This issue has been addressed in commit b4a402f4
which has been included in release version 2.13.0
. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CPE | Name | Operator | Version |
---|---|---|---|
avro_project:avro | avro project avro | lt | 2.13.0 |
[
{
"vendor": "hamba",
"product": "avro",
"versions": [
{
"version": "< 2.13.0",
"status": "affected"
}
]
}
]