We use cookies to improve your experience on our site.
AVID-2026-R1268
Description
Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK (CVE-2023-39410)
Details
When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.
This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue.
Reason for inclusion in AVID: CVE-2023-39410 is a deserialization vulnerability in the Apache Avro Java SDK that can cause memory exhaustion when processing untrusted data. Apache Avro is a widely used data serialization library in data pipelines and ML/AI workflows for training, feature processing, and data serving. As such, it is a software component commonly used in AI system stacks; vulnerabilities in it constitute a software supply chain issue for AI systems. The CVE describes a security vulnerability (DoS via memory exhaustion) with actionable remediation (update to 1.11.3). The evidence provided (CVE description, affected versions, and remediation) is sufficient to classify this as a vulnerability affecting AI software supply chains.
References
- NVD entry
- https://lists.apache.org/thread/q142wj99cwdd0jo5lvdoxzoymlqyjdds
- https://www.openwall.com/lists/oss-security/2023/09/29/6
- https://security.netapp.com/advisory/ntap-20240621-0006/
Affected or Relevant Artifacts
- Developer: Apache Software Foundation
- Deployer: Apache Software Foundation
- Artifact Details:
| Type | Name |
|---|---|
| System | Apache Avro Java SDK |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CWE
| ID | Description |
|---|---|
| CWE-502 | CWE-502 Deserialization of Untrusted Data |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2023-09-29
- Version: 0.3.3
- AVID Entry