CVE-2023-37475
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-37475
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-37475.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-37475
- Aliases
- Related
- Published
- 2023-07-17T17:15:10Z
- Modified
- 2024-05-14T12:57:17.128480Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Hamba avro is a go lang encoder/decoder implementation of the avro codec specification. In affected versions a well-crafted string passed to avro's
github.com/hamba/avro/v2.Unmarshal()can throw afatal error: runtime: out of memorywhich is unrecoverable and can cause denial of service of the consumer of avro. The root cause of the issue is that avro uses part of the input toUnmarshal()to determine the size when creating a new slice and hence an attacker may consume arbitrary amounts of memory which in turn may cause the application to crash. This issue has been addressed in commitb4a402f4which has been included in release version2.13.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. - References
Affected packages
Git / github.com/hamba/avro
Affected ranges
- Type
- GIT
- Repo
- https://github.com/hamba/avro
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v0.*
v0.0.1
v0.0.2
v0.0.3
v0.0.4
v0.0.5
v0.1.0
v0.2.0
v0.3.0
v0.3.1
v0.4.0
v0.4.1
v0.4.2
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.6.0
v0.7.0
v1.*
v1.0.0
v1.1.0
v1.1.1
v1.1.2
v1.2.0
v1.2.1
v1.3.0
v1.4.0
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.5.5
v1.5.6
v1.6.0
v1.6.1
v1.6.2
v1.6.3
v1.6.4
v1.6.5
v1.6.6
v1.7.0
v1.8.0
v2.*
v2.0.0
v2.0.1
v2.0.2
v2.1.0
v2.10.0
v2.11.0
v2.12.0
v2.2.0
v2.3.0
v2.4.0
v2.5.0
v2.6.0
v2.7.0
v2.8.0
v2.8.1
v2.9.0