CVE-2024-47561 CRITICAL

CVE-2024-47561: Apache Avro Java SDK: Arbitrary Code Execution when reading Avro schema (Java SDK)

Vendor Apache Software Foundation

Product Apache Avro Java SDK

Weakness CWE-502 · Unsafe deserialization

Published October 3, 2024

Last update October 21, 2024

View on NVD All CVEs

CVSS base score

9.2/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

Description

Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code. Users are recommended to upgrade to version 1.11.4 or 1.12.0, which fix this issue.

Key dates

Disclosure timeline

October 3, 2024 CVE published

October 21, 2024 Record updated

Identifiers

CVE CVE-2024-47561

CWE CWE-502

CVSS 9.2 / CRITICAL

Affected versions

Vendor Apache Software Foundation

Product Apache Avro Java SDK

Affected < 1.11.4