Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Attacker-controlled parameter can cause denial of service in hamba avro
Vulnerability Description
Hamba avro is a go lang encoder/decoder implementation of the avro codec specification. In affected versions a well-crafted string passed to avro's `github.com/hamba/avro/v2.Unmarshal()` can throw a `fatal error: runtime: out of memory` which is unrecoverable and can cause denial of service of the consumer of avro. The root cause of the issue is that avro uses part of the input to `Unmarshal()` to determine the size when creating a new slice and hence an attacker may consume arbitrary amounts of memory which in turn may cause the application to crash. This issue has been addressed in commit `b4a402f4` which has been included in release version `2.13.0`. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vulnerability Type
未加控制的资源消耗(资源穷尽)
Vulnerability Title
Hamba avro 资源管理错误漏洞
Vulnerability Description
Avro是hamba开源的一个快速 Go Avro 编解码器。 Hamba avro存在资源管理错误漏洞,该漏洞源于在创建新切片时使用 Unmarshal() 的部分输入来确定大小,从而允许消耗任意数量的内存,导致程序崩溃。
CVSS Information
N/A
Vulnerability Type
N/A