Lucene search

Veracode Vulnerability DatabaseVERACODE:41355

HistoryJul 19, 2023 - 2:53 a.m.

Denial Of Service (DoS)

2023-07-1902:53:01

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

vulnerability

dos

github.com/hamba/avro

readstring

config.go

unmarshal

restricted max size

application crash

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

21.0%

JSON

github.com/hamba/avro is vulnerable to Denial Of Service (DoS). The vulnerability exists in the ReadString function of reader.go because config.go does not properly restrict the maximum size of bytes and string types, allowing an attacker to cause an application crash by providing a maliciously crafted string through the Unmarshal() function.

CPENameOperatorVersion
github.com/hamba/avrolev2.12.0
github.com/hamba/avrolev2.12.0

CPE	Name	Operator	Version
	github.com/hamba/avro	le	v2.12.0
	github.com/hamba/avro	le	v2.12.0

References

github.com/advisories/GHSA-9x44-9pgq-cf45

github.com/hamba/avro/blob/3abfe1e6382c5dccf2e1a00260c51a64bc1f1ca1/reader.go#L216-L242

github.com/hamba/avro/commit/b4a402f41cf44b6094b5131286830ba9bb1eb290

github.com/hamba/avro/pull/273

github.com/hamba/avro/releases/tag/v2.13.0

github.com/hamba/avro/security/advisories/GHSA-9x44-9pgq-cf45

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

21.0%

JSON

Related for VERACODE:41355