CVE-2024-47561: Apache Avro Java SDK: Arbitrary Code Execution when reading Avro Data (Java SDK)
(updated )
Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code. Users are recommended to upgrade to version 1.11.4 or 1.12.0, which fix this issue.
References
- github.com/advisories/GHSA-r7pg-v2c8-mfg3
- github.com/apache/avro
- github.com/apache/avro/commit/8f89868d29272e3afea2ff8de8c85cb81a57d900
- github.com/apache/avro/commit/f6b3bd7e50e6e09fedddb98c61558c022ba31285
- github.com/apache/avro/pull/2934
- github.com/apache/avro/pull/2980
- issues.apache.org/jira/browse/AVRO-3985
- lists.apache.org/thread/c2v7mhqnmq0jmbwxqq3r5jbj1xg43h5x
- nvd.nist.gov/vuln/detail/CVE-2024-47561
- thehackernews.com/2024/10/critical-apache-avro-sdk-flaw-allows.html
- www.openwall.com/lists/oss-security/2024/10/03/1
Detect and mitigate CVE-2024-47561 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →