Vulnerability-Lookup

CVE-2021-43045 (GCVE-0-2021-43045)

Vulnerability from cvelistv5 – Published: 2022-01-06 18:00 – Updated: 2024-08-04 03:47

Title

Possible DOS vulnerabilities in C# Avro SDK

Summary

A vulnerability in the .NET SDK of Apache Avro allows an attacker to allocate excessive resources, potentially causing a denial-of-service attack. This issue affects .NET applications using Apache Avro version 1.10.2 and prior versions. Users should update to version 1.11.0 which addresses this issue.

Severity

No CVSS data available.

CWE

CWE-770

Assigner

apache

References

2 references

URL	Tags
https://lists.apache.org/thread/5fttw9vk6gd2p3b84…	x_refsource_MISC
http://www.openwall.com/lists/oss-security/2022/01/06/8	mailing-listx_refsource_MLIST

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Avro	Affected: Apache Avro , ≤ 1.10.2 (custom)

Credits

Apache Avro would like to thank Philip Sanetra for reporting this issue.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T03:47:13.525Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/5fttw9vk6gd2p3b846nox7hcj5469xfd"
          },
          {
            "name": "[oss-security] 20220106 CVE-2021-43045: Apache Avro: Possible DOS vulnerabilities in C# Avro SDK",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/01/06/8"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            ".NET"
          ],
          "product": "Apache Avro",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "1.10.2",
              "status": "affected",
              "version": "Apache Avro",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Apache Avro would like to thank Philip Sanetra for reporting this issue."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in the .NET SDK of Apache Avro allows an attacker to allocate excessive resources, potentially causing a denial-of-service attack. This issue affects .NET applications using Apache Avro version 1.10.2 and prior versions. Users should update to version 1.11.0 which addresses this issue."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-01-06T21:06:08.000Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.apache.org/thread/5fttw9vk6gd2p3b846nox7hcj5469xfd"
        },
        {
          "name": "[oss-security] 20220106 CVE-2021-43045: Apache Avro: Possible DOS vulnerabilities in C# Avro SDK",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/01/06/8"
        }
      ],
      "source": {
        "defect": [
          "AVRO-3225",
          "AVRO-3226"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "Possible DOS vulnerabilities in C# Avro SDK",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2021-43045",
          "STATE": "PUBLIC",
          "TITLE": "Possible DOS vulnerabilities in C# Avro SDK"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Avro",
                      "version": {
                        "version_data": [
                          {
                            "platform": ".NET",
                            "version_affected": "\u003c=",
                            "version_name": "Apache Avro",
                            "version_value": "1.10.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Apache Avro would like to thank Philip Sanetra for reporting this issue."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability in the .NET SDK of Apache Avro allows an attacker to allocate excessive resources, potentially causing a denial-of-service attack. This issue affects .NET applications using Apache Avro version 1.10.2 and prior versions. Users should update to version 1.11.0 which addresses this issue."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {}
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-770"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread/5fttw9vk6gd2p3b846nox7hcj5469xfd",
              "refsource": "MISC",
              "url": "https://lists.apache.org/thread/5fttw9vk6gd2p3b846nox7hcj5469xfd"
            },
            {
              "name": "[oss-security] 20220106 CVE-2021-43045: Apache Avro: Possible DOS vulnerabilities in C# Avro SDK",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2022/01/06/8"
            }
          ]
        },
        "source": {
          "defect": [
            "AVRO-3225",
            "AVRO-3226"
          ],
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2021-43045",
    "datePublished": "2022-01-06T18:00:12.000Z",
    "dateReserved": "2021-10-27T00:00:00.000Z",
    "dateUpdated": "2024-08-04T03:47:13.525Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2021-43045",
      "date": "2026-05-29",
      "epss": "0.0037",
      "percentile": "0.5913"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:avro:*:*:*:*:*:.net:*:*\", \"versionEndExcluding\": \"1.11.0\", \"matchCriteriaId\": \"E466F509-ED2A-41A6-A6C8-E3124EAED4F4\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A vulnerability in the .NET SDK of Apache Avro allows an attacker to allocate excessive resources, potentially causing a denial-of-service attack. This issue affects .NET applications using Apache Avro version 1.10.2 and prior versions. Users should update to version 1.11.0 which addresses this issue.\"}, {\"lang\": \"es\", \"value\": \"Una vulnerabilidad en el SDK .NET de Apache Avro permite a un atacante asignar recursos excesivos, causando potencialmente un ataque de denegaci\\u00f3n de servicio. Este problema afecta a las aplicaciones .NET que usan Apache Avro versiones 1.10.2 y anteriores. Los usuarios deben actualizar a versi\\u00f3n 1.11.0, que aborda este problema.\"}]",
      "id": "CVE-2021-43045",
      "lastModified": "2024-11-21T06:28:35.277",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2022-01-06T18:15:07.863",
      "references": "[{\"url\": \"http://www.openwall.com/lists/oss-security/2022/01/06/8\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread/5fttw9vk6gd2p3b846nox7hcj5469xfd\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2022/01/06/8\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread/5fttw9vk6gd2p3b846nox7hcj5469xfd\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "security@apache.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security@apache.org\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-770\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-770\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-43045\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2022-01-06T18:15:07.863\",\"lastModified\":\"2024-11-21T06:28:35.277\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability in the .NET SDK of Apache Avro allows an attacker to allocate excessive resources, potentially causing a denial-of-service attack. This issue affects .NET applications using Apache Avro version 1.10.2 and prior versions. Users should update to version 1.11.0 which addresses this issue.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad en el SDK .NET de Apache Avro permite a un atacante asignar recursos excesivos, causando potencialmente un ataque de denegaci\u00f3n de servicio. Este problema afecta a las aplicaciones .NET que usan Apache Avro versiones 1.10.2 y anteriores. Los usuarios deben actualizar a versi\u00f3n 1.11.0, que aborda este problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:avro:*:*:*:*:*:.net:*:*\",\"versionEndExcluding\":\"1.11.0\",\"matchCriteriaId\":\"E466F509-ED2A-41A6-A6C8-E3124EAED4F4\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2022/01/06/8\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread/5fttw9vk6gd2p3b846nox7hcj5469xfd\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2022/01/06/8\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread/5fttw9vk6gd2p3b846nox7hcj5469xfd\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]}]}}"
  }
}

CNVD-2022-02754

Vulnerability from cnvd - Published: 2022-01-12

Title

Apache Avro资源管理错误漏洞

Description

Apache Avro是美国阿帕奇（Apache）基金会的一个数据序列化系统。为 Apache Hadoop 提供数据序列化和数据交换服务。 Apache Avro中存在资源管理错误漏洞，该漏洞源于产品的.net SDK组件未对分配资源量进行有效限制。攻击者可通过该漏洞分配过多资源导致拒绝服务。

Severity

高

Patch Name

Apache Avro资源管理错误漏洞的补丁

Patch Description

Apache Avro是美国阿帕奇（Apache）基金会的一个数据序列化系统。为 Apache Hadoop 提供数据序列化和数据交换服务。 Apache Avro中存在资源管理错误漏洞，该漏洞源于产品的.net SDK组件未对分配资源量进行有效限制。攻击者可通过该漏洞分配过多资源导致拒绝服务。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://lists.apache.org/thread/5fttw9vk6gd2p3b846nox7hcj5469xfd

Reference

https://www.cybersecurity-help.cz/vdb/SB2022010628

Impacted products

Name
Apache Avro <=1.10.2

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-43045",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-43045"
    }
  },
  "description": "Apache Avro\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u6570\u636e\u5e8f\u5217\u5316\u7cfb\u7edf\u3002\u4e3a Apache Hadoop \u63d0\u4f9b\u6570\u636e\u5e8f\u5217\u5316\u548c\u6570\u636e\u4ea4\u6362\u670d\u52a1\u3002\n\nApache Avro\u4e2d\u5b58\u5728\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4ea7\u54c1\u7684.net SDK\u7ec4\u4ef6\u672a\u5bf9\u5206\u914d\u8d44\u6e90\u91cf\u8fdb\u884c\u6709\u6548\u9650\u5236\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u8be5\u6f0f\u6d1e\u5206\u914d\u8fc7\u591a\u8d44\u6e90\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://lists.apache.org/thread/5fttw9vk6gd2p3b846nox7hcj5469xfd",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-02754",
  "openTime": "2022-01-12",
  "patchDescription": "Apache Avro\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u6570\u636e\u5e8f\u5217\u5316\u7cfb\u7edf\u3002\u4e3a Apache Hadoop \u63d0\u4f9b\u6570\u636e\u5e8f\u5217\u5316\u548c\u6570\u636e\u4ea4\u6362\u670d\u52a1\u3002\r\n\r\nApache Avro\u4e2d\u5b58\u5728\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4ea7\u54c1\u7684.net SDK\u7ec4\u4ef6\u672a\u5bf9\u5206\u914d\u8d44\u6e90\u91cf\u8fdb\u884c\u6709\u6548\u9650\u5236\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u8be5\u6f0f\u6d1e\u5206\u914d\u8fc7\u591a\u8d44\u6e90\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Avro\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Apache Avro \u003c=1.10.2"
  },
  "referenceLink": "https://www.cybersecurity-help.cz/vdb/SB2022010628",
  "serverity": "\u9ad8",
  "submitTime": "2022-01-08",
  "title": "Apache Avro\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e"
}

FKIE_CVE-2021-43045

Vulnerability from fkie_nvd - Published: 2022-01-06 18:15 - Updated: 2024-11-21 06:28

Severity

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
security@apache.org	http://www.openwall.com/lists/oss-security/2022/01/06/8	Mailing List, Third Party Advisory
security@apache.org	https://lists.apache.org/thread/5fttw9vk6gd2p3b846nox7hcj5469xfd	Mailing List, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2022/01/06/8	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread/5fttw9vk6gd2p3b846nox7hcj5469xfd	Mailing List, Vendor Advisory

Impacted products

	Vendor	Product	Version
	apache	avro	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:avro:*:*:*:*:*:.net:*:*",
              "matchCriteriaId": "E466F509-ED2A-41A6-A6C8-E3124EAED4F4",
              "versionEndExcluding": "1.11.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability in the .NET SDK of Apache Avro allows an attacker to allocate excessive resources, potentially causing a denial-of-service attack. This issue affects .NET applications using Apache Avro version 1.10.2 and prior versions. Users should update to version 1.11.0 which addresses this issue."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad en el SDK .NET de Apache Avro permite a un atacante asignar recursos excesivos, causando potencialmente un ataque de denegaci\u00f3n de servicio. Este problema afecta a las aplicaciones .NET que usan Apache Avro versiones 1.10.2 y anteriores. Los usuarios deben actualizar a versi\u00f3n 1.11.0, que aborda este problema."
    }
  ],
  "id": "CVE-2021-43045",
  "lastModified": "2024-11-21T06:28:35.277",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-01-06T18:15:07.863",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/01/06/8"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/5fttw9vk6gd2p3b846nox7hcj5469xfd"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2022/01/06/8"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread/5fttw9vk6gd2p3b846nox7hcj5469xfd"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "security@apache.org",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-868X-RG4C-CJQG

Vulnerability from github – Published: 2022-01-08 00:39 – Updated: 2023-09-26 20:26

Summary

Allocation of Resources Without Limits or Throttling in Apache Avro

Details

Severity

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Apache.Avro"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-43045"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-01-07T22:36:54Z",
    "nvd_published_at": "2022-01-06T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the .NET SDK of Apache Avro allows an attacker to allocate excessive resources, potentially causing a denial-of-service attack. This issue affects .NET applications using Apache Avro version 1.10.2 and prior versions. Users should update to version 1.11.0 which addresses this issue.",
  "id": "GHSA-868x-rg4c-cjqg",
  "modified": "2023-09-26T20:26:04Z",
  "published": "2022-01-08T00:39:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43045"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/avro/pull/1357"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/avro"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/AVRO-3225"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/AVRO-3226"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/5fttw9vk6gd2p3b846nox7hcj5469xfd"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/01/06/8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Allocation of Resources Without Limits or Throttling in Apache Avro"
}

GSD-2021-43045

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-43045

Aliases

CVE-2021-43045

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-43045",
    "description": "A vulnerability in the .NET SDK of Apache Avro allows an attacker to allocate excessive resources, potentially causing a denial-of-service attack. This issue affects .NET applications using Apache Avro version 1.10.2 and prior versions. Users should update to version 1.11.0 which addresses this issue.",
    "id": "GSD-2021-43045"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-43045"
      ],
      "details": "A vulnerability in the .NET SDK of Apache Avro allows an attacker to allocate excessive resources, potentially causing a denial-of-service attack. This issue affects .NET applications using Apache Avro version 1.10.2 and prior versions. Users should update to version 1.11.0 which addresses this issue.",
      "id": "GSD-2021-43045",
      "modified": "2023-12-13T01:23:26.481024Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2021-43045",
        "STATE": "PUBLIC",
        "TITLE": "Possible DOS vulnerabilities in C# Avro SDK"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache Avro",
                    "version": {
                      "version_data": [
                        {
                          "platform": ".NET",
                          "version_affected": "\u003c=",
                          "version_name": "Apache Avro",
                          "version_value": "1.10.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache Software Foundation"
            }
          ]
        }
      },
      "credit": [
        {
          "lang": "eng",
          "value": "Apache Avro would like to thank Philip Sanetra for reporting this issue."
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A vulnerability in the .NET SDK of Apache Avro allows an attacker to allocate excessive resources, potentially causing a denial-of-service attack. This issue affects .NET applications using Apache Avro version 1.10.2 and prior versions. Users should update to version 1.11.0 which addresses this issue."
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "impact": [
        {}
      ],
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-770"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://lists.apache.org/thread/5fttw9vk6gd2p3b846nox7hcj5469xfd",
            "refsource": "MISC",
            "url": "https://lists.apache.org/thread/5fttw9vk6gd2p3b846nox7hcj5469xfd"
          },
          {
            "name": "[oss-security] 20220106 CVE-2021-43045: Apache Avro: Possible DOS vulnerabilities in C# Avro SDK",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2022/01/06/8"
          }
        ]
      },
      "source": {
        "defect": [
          "AVRO-3225",
          "AVRO-3226"
        ],
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,1.11.0)",
          "affected_versions": "All versions before 1.11.0",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-770",
            "CWE-937"
          ],
          "date": "2022-01-14",
          "description": "A vulnerability in the .NET SDK of Apache Avro allows an attacker to allocate excessive resources, potentially causing a denial-of-service attack. This issue affects .NET applications using Apache Avro and prior versions. Users should update to which addresses this issue.",
          "fixed_versions": [
            "1.11.0"
          ],
          "identifier": "CVE-2021-43045",
          "identifiers": [
            "CVE-2021-43045",
            "GHSA-868x-rg4c-cjqg"
          ],
          "not_impacted": "All versions starting from 1.11.0",
          "package_slug": "nuget/Apache.Avro",
          "pubdate": "2022-01-08",
          "solution": "Upgrade to version 1.11.0 or above.",
          "title": "Allocation of Resources Without Limits or Throttling in Apache Avro",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-43045",
            "https://github.com/advisories/GHSA-868x-rg4c-cjqg"
          ],
          "uuid": "e9601be5-733a-4ed5-8d3c-ecb3d2cb3c11"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:avro:*:*:*:*:*:.net:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.11.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2021-43045"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A vulnerability in the .NET SDK of Apache Avro allows an attacker to allocate excessive resources, potentially causing a denial-of-service attack. This issue affects .NET applications using Apache Avro version 1.10.2 and prior versions. Users should update to version 1.11.0 which addresses this issue."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-770"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "N/A",
              "refsource": "CONFIRM",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread/5fttw9vk6gd2p3b846nox7hcj5469xfd"
            },
            {
              "name": "[oss-security] 20220106 CVE-2021-43045: Apache Avro: Possible DOS vulnerabilities in C# Avro SDK",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/01/06/8"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-09-26T12:54Z",
      "publishedDate": "2022-01-06T18:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-43045 (GCVE-0-2021-43045)

CNVD-2022-02754

FKIE_CVE-2021-43045

GHSA-868X-RG4C-CJQG

GSD-2021-43045

Tags

Sightings

Nomenclature