Allocation of Resources Without Limits or Throttling Affecting apache/avro package, versions <0.14.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.11% (46th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Allocation of Resources Without Limits or Throttling vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-RUST-APACHEAVRO-2977084
  • published9 Aug 2022
  • disclosed9 Aug 2022
  • creditEvan Richter at ForAllSecure

Introduced: 9 Aug 2022

CVE-2022-36124  (opens in a new tab)
CWE-770  (opens in a new tab)

How to fix?

Upgrade apache/avro to version 0.14.0 or higher.

Overview

apache/avro is a library for working with Apache Avro in Rust language.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the possibility for a Reader to consume memory beyond the allowed constraints.

Note:

The Avro-rs package has migrated to the Apache Avro package, it is recommended to use Apache Avro instead, as it addresses this issue.

CVSS Scores

version 3.1