Resource Exhaustion Affecting argo-events package, versions <1.9.2-r1
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-CHAINGUARDLATEST-ARGOEVENTS-7924795
- published 8 Sep 2024
- disclosed 17 Jul 2023
Introduced: 17 Jul 2023
CVE-2023-37475 Open this link in a new tabHow to fix?
Upgrade Chainguard
argo-events
to version 1.9.2-r1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream argo-events
package and not the argo-events
package as distributed by Chainguard
.
See How to fix?
for Chainguard
relevant fixed versions and status.
Hamba avro is a go lang encoder/decoder implementation of the avro codec specification. In affected versions a well-crafted string passed to avro's github.com/hamba/avro/v2.Unmarshal()
can throw a fatal error: runtime: out of memory
which is unrecoverable and can cause denial of service of the consumer of avro. The root cause of the issue is that avro uses part of the input to Unmarshal()
to determine the size when creating a new slice and hence an attacker may consume arbitrary amounts of memory which in turn may cause the application to crash. This issue has been addressed in commit b4a402f4
which has been included in release version 2.13.0
. Users are advised to upgrade. There are no known workarounds for this vulnerability.