You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@avro.apache.org by Ryan Skraba <rs...@apache.org> on 2022/08/08 19:33:41 UTC

CVE-2022-36125: Apache Avro: Integer overflow when reading corrupted .avro file in Avro Rust SDK

Severity: important

Description:

It is possible to crash (panic) an application by providing a corrupted data to be read. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs).  Users should update to apache-avro version 0.14.0 which addresses this issue.

Credit:

This issue was reported to the Apache Avro team by Evan Richter at ForAllSecure and found with Mayhem.