vulnerability
Red Hat JBoss EAP: CVE-2023-39410: Deserialization of Untrusted Data
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:L/Au:N/C:N/I:N/A:C) | Sep 29, 2023 | Sep 19, 2024 | Jul 2, 2025 |
Severity
8
CVSS
(AV:N/AC:L/Au:N/C:N/I:N/A:C)
Published
Sep 29, 2023
Added
Sep 19, 2024
Modified
Jul 2, 2025
Description
When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.
This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue.. A flaw was found in apache-avro. When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints, leading to an out-of-memory error and a denial of service on the system.
This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue.. A flaw was found in apache-avro. When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints, leading to an out-of-memory error and a denial of service on the system.
Solution
red-hat-jboss-eap-upgrade-latest
References
- CWE-502
- CVE-2023-39410
- https://attackerkb.com/topics/CVE-2023-39410
- URL-https://access.redhat.com/security/cve/CVE-2023-39410
- URL-https://bugzilla.redhat.com/show_bug.cgi?id=2242521
- URL-https://issues.apache.org/jira/browse/AVRO-3819
- URL-https://access.redhat.com/errata/RHSA-2023:7637
- URL-https://access.redhat.com/errata/RHSA-2023:7638
- URL-https://access.redhat.com/errata/RHSA-2023:7639
- URL-https://access.redhat.com/errata/RHSA-2023:7641
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.