Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/hamba/avro: CVE-2023-37475 #1933

Closed
GoVulnBot opened this issue Jul 17, 2023 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/hamba/avro: CVE-2023-37475 #1933

GoVulnBot opened this issue Jul 17, 2023 · 1 comment

Comments

@GoVulnBot
Copy link

CVE-2023-37475 references github.com/hamba/avro, which may be a Go module.

Description:
Hamba avro is a go lang encoder/decoder implementation of the avro codec specification. In affected versions a well-crafted string passed to avro's github.com/hamba/avro/v2.Unmarshal() can throw a fatal error: runtime: out of memory which is unrecoverable and can cause denial of service of the consumer of avro. The root cause of the issue is that avro uses part of the input to Unmarshal() to determine the size when creating a new slice and hence an attacker may consume arbitrary amounts of memory which in turn may cause the application to crash. This issue has been addressed in commit b4a402f4 which has been included in release version 2.13.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References:

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/hamba/avro
      vulnerable_at: 1.8.0
      packages:
        - package: avro
description: |-
    Hamba avro is a go lang encoder/decoder implementation of the avro codec
    specification. In affected versions a well-crafted string passed to avro's
    `github.com/hamba/avro/v2.Unmarshal()` can throw a `fatal error: runtime: out of
    memory` which is unrecoverable and can cause denial of service of the consumer
    of avro. The root cause of the issue is that avro uses part of the input to
    `Unmarshal()` to determine the size when creating a new slice and hence an
    attacker may consume arbitrary amounts of memory which in turn may cause the
    application to crash. This issue has been addressed in commit `b4a402f4` which
    has been included in release version `2.13.0`. Users are advised to upgrade.
    There are no known workarounds for this vulnerability.
cves:
    - CVE-2023-37475
references:
    - advisory: https://github.com/hamba/avro/security/advisories/GHSA-9x44-9pgq-cf45
    - fix: https://github.com/hamba/avro/commit/b4a402f41cf44b6094b5131286830ba9bb1eb290
@neild
Copy link
Contributor

neild commented Jul 25, 2023

Duplicate of #1930

@neild neild marked this as a duplicate of #1930 Jul 25, 2023
@neild neild closed this as completed Jul 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@neild @GoVulnBot