CVE-2022-35724: Apache Avro Rust SDK vulnerable to reader looping in cycle endlessly, consuming CPU

August 10, 2022 (updated August 18, 2022)

It is possible to provide data to be read that leads the reader to loop in cycles endlessly, consuming CPU. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version 0.14.0 which addresses this issue.

References

github.com/a0x8o/avro
github.com/advisories/GHSA-v456-chpw-6mmw
lists.apache.org/thread/771z1nwrpkn1ovmyfb2fm65mchdxgy7p
nvd.nist.gov/vuln/detail/CVE-2022-35724

Code Behaviors & Features

Detect and mitigate CVE-2022-35724 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →