CVE-2024-47561 — Apache Avro Java SDK: Arbitrary Code Execution when reading Avro Data (Java SDK)

Description

Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code. Users are recommended to upgrade to version 1.11.4 or 1.12.0, which fix this issue.

How to fix CVE-2024-47561

To remediate CVE-2024-47561, upgrade the affected package to a fixed version below.

—upgrade to 1.11.4 or later

Is CVE-2024-47561 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.11.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (12)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-47561
PATCHgithub.com/apache/avro
WEBgithub.com/apache/avro/commit/8f89868d29272e3afea2ff8de8c85cb81a57d900
WEBgithub.com/apache/avro/commit/f6b3bd7e50e6e09fedddb98c61558c022ba31285
WEB