CVE-2023-39410

Source
https://cve.org/CVERecord?id=CVE-2023-39410
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-39410.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-39410
Aliases
Downstream
Related
Published
2023-09-29T16:23:34.021Z
Modified
2026-07-01T11:53:17.566803889Z
Summary
Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK
Details

When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.

This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/39xxx/CVE-2023-39410.json",
    "cna_assigner": "apache",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "fixed": "1.11.3"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ],
    "cwe_ids": [
        "CWE-502"
    ]
}
References

Affected packages

Git / github.com/apache/avro

Affected ranges

Type
GIT
Repo
https://github.com/apache/avro
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:apache:avro:*:*:*:*:*:-:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.11.3"
        }
    ],
    "source": "CPE_RANGE"
}

Affected versions

release-1.*
release-1.11.0
release-1.11.0-rc1
release-1.11.0-rc2
release-1.11.1
release-1.11.1-rc1
release-1.11.2
release-1.11.2-rc1

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-39410.json"