Bug 13688

Please patch CVEs for package avro version 1.7.6
  
INFO (CVEs are): avro 1.7.6
 cves found
CVE-2021-43045
Desc: A vulnerability in the .NET SDK of Apache Avro allows an attacker to allocate excessive resources, potentially causing a denial-of-service attack. This issue affects .NET applications using Apache Avro version 1.10.2 and prior versions. Users should update to version 1.11.0 which addresses this issue.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-43045
Severity: HIGH
CVE-2023-37475
Desc: Hamba avro is a go lang encoder/decoder implementation of the avro codec specification. In affected versions a well-crafted string passed to avro's `github.com/hamba/avro/v2.Unmarshal()` can throw a `fatal error: runtime: out of memory` which is unrecoverable and can cause denial of service of the consumer of avro. The root cause of the issue is that avro uses part of the input to `Unmarshal()` to determine the size when creating a new slice and hence an attacker may consume arbitrary amounts of memory which in turn may cause the application to crash. This issue has been addressed in commit `b4a402f4` which has been included in release version `2.13.0`. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-37475
Severity: HIGH
CVE-2023-39410
Desc: When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.

This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2.  Users should update to apache-avro version 1.11.3 which addresses this issue.


Link: https://nvd.nist.gov/vuln/detail/CVE-2023-39410
Severity: HIGH