CVE-2023-37475

Name
CVE-2023-37475
Description
Hamba avro is a go lang encoder/decoder implementation of the avro codec specification. In affected versions a well-crafted string passed to avro's `github.com/hamba/avro/v2.Unmarshal()` can throw a `fatal error: runtime: out of memory` which is unrecoverable and can cause denial of service of the consumer of avro. The root cause of the issue is that avro uses part of the input to `Unmarshal()` to determine the size when creating a new slice and hence an attacker may consume arbitrary amounts of memory which in turn may cause the application to crash. This issue has been addressed in commit `b4a402f4` which has been included in release version `2.13.0`. Users are advised to upgrade. There are no known workarounds for this vulnerability.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/hamba/avro/commit/b4a402f41cf44b6094b5131286830ba9bb1eb290
MISC https://github.com/hamba/avro/security/advisories/GHSA-9x44-9pgq-cf45

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:avro_project:avro:*:*:*:*:*:go:*:* avro >= None < 2.13.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
avro 3.18-community 1.11.1-r5 nu <llnu@protonmail.ch> possibly vulnerable
avro edge-community 1.11.3-r0 nu <llnu@protonmail.ch> possibly vulnerable
avro 3.19-community 1.11.3-r0 nu <llnu@protonmail.ch> possibly vulnerable