Lucene search

GoogleOSV:GHSA-V456-CHPW-6MMW

HistoryAug 10, 2022 - 12:00 a.m.

Apache Avro Rust SDK vulnerable to reader looping in cycle endlessly, consuming CPU

2022-08-1000:00:31

Google

osv.dev

apache

avro

rust

sdk

vulnerability

cpu

update

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

33.9%

JSON

It is possible to provide data to be read that leads the reader to loop in cycles endlessly, consuming CPU. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version 0.14.0 which addresses this issue.

References

github.com/a0x8o/avro

lists.apache.org/thread/771z1nwrpkn1ovmyfb2fm65mchdxgy7p

nvd.nist.gov/vuln/detail/CVE-2022-35724

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

33.9%

JSON

Related for OSV:GHSA-V456-CHPW-6MMW