FKIE_CVE-2025-46762

Vulnerability from fkie_nvd - Published: 2025-05-06 10:15 - Updated: 2025-09-02 20:50
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code. While 1.15.1 introduced a fix to restrict untrusted packages, the default setting of trusted packages still allows malicious classes from these packages to be executed. The exploit is only applicable if the client code of parquet-avro uses the "specific" or the "reflect" models deliberately for reading Parquet files. ("generic" model is not impacted) Users are recommended to upgrade to 1.15.2 or set the system property "org.apache.parquet.avro.SERIALIZABLE_PACKAGES" to an empty string on 1.15.1. Both are sufficient to fix the issue.
References
security@apache.orghttps://lists.apache.org/thread/t7724lpvl110xsbgqwsmrdsns0rhycdpMailing List
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2025/05/02/1Mailing List
Impacted products
Vendor Product Version
apache parquet *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:parquet:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B409A6CA-62D9-4667-825E-96EDD827FE08",
              "versionEndExcluding": "1.15.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code.\n\nWhile 1.15.1 introduced a fix to restrict untrusted packages, the default setting of trusted packages still allows malicious classes from these packages to be executed.\n\nThe exploit is only applicable if the client code of parquet-avro uses the \"specific\" or the \"reflect\" models deliberately for reading Parquet files. (\"generic\" model is not impacted)\n\nUsers are recommended to upgrade to 1.15.2 or set the system property \"org.apache.parquet.avro.SERIALIZABLE_PACKAGES\" to an empty string on 1.15.1. Both are sufficient to fix the issue."
    },
    {
      "lang": "es",
      "value": "El an\u00e1lisis de esquemas en el m\u00f3dulo parquet-avro de Apache Parquet 1.15.0 y versiones anteriores permite a actores maliciosos ejecutar c\u00f3digo arbitrario. Si bien la versi\u00f3n 1.15.1 introdujo una correcci\u00f3n para restringir los paquetes no confiables, la configuraci\u00f3n predeterminada de los paquetes confiables a\u00fan permite la ejecuci\u00f3n de clases maliciosas de estos paquetes. El exploit solo es aplicable si el c\u00f3digo cliente de parquet-avro utiliza deliberadamente los modelos \"specific\" o \"reflect\" para leer archivos de Parquet. (El modelo \"gen\u00e9rico\" no se ve afectado). Se recomienda a los usuarios actualizar a la versi\u00f3n 1.15.2 o configurar la propiedad del sistema \"org.apache.parquet.avro.SERIALIZABLE_PACKAGES\" con una cadena vac\u00eda en la versi\u00f3n 1.15.1. Ambas opciones son suficientes para solucionar el problema."
    }
  ],
  "id": "CVE-2025-46762",
  "lastModified": "2025-09-02T20:50:53.483",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NEGLIGIBLE",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "HIGH",
          "providerUrgency": "AMBER",
          "subAvailabilityImpact": "HIGH",
          "subConfidentialityImpact": "LOW",
          "subIntegrityImpact": "HIGH",
          "userInteraction": "ACTIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:X/R:X/V:X/RE:M/U:Amber",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "LOW",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "MODERATE"
        },
        "source": "security@apache.org",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-05-06T10:15:16.047",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List"
      ],
      "url": "https://lists.apache.org/thread/t7724lpvl110xsbgqwsmrdsns0rhycdp"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2025/05/02/1"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-73"
        }
      ],
      "source": "security@apache.org",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.