Lucene search

K
veracodeVeracode Vulnerability DatabaseVERACODE:41355
HistoryJul 19, 2023 - 2:53 a.m.

Denial Of Service (DoS)

2023-07-1902:53:01
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
6
vulnerability
dos
github.com/hamba/avro
readstring
config.go
unmarshal
restricted max size
application crash

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

21.0%

github.com/hamba/avro is vulnerable to Denial Of Service (DoS). The vulnerability exists in the ReadString function of reader.go because config.go does not properly restrict the maximum size of bytes and string types, allowing an attacker to cause an application crash by providing a maliciously crafted string through the Unmarshal() function.

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

21.0%