Multiple vulnerabilities in Apache Avro for Rust

Published: 2022-08-08

Risk	Medium
Patch available	NO
Number of vulnerabilities	3
CVE-ID	CVE-2022-36124 CVE-2022-36125 CVE-2022-35724
CWE-ID	CWE-400 CWE-190 CWE-835
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	Apache Avro for Rust Universal components / Libraries / Programming Languages & Components
Vendor	The Rust Programming Language

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Resource exhaustion

EUVDB-ID: #VU66187

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-36124

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Apache Avro for Rust: 0.1.0 - 0.13.0

Fixed software versions

CPE2.3

cpe:2.3:a:rust-lang:avro_rs:0.13.0:*:*:*:*:rust:*:*

External links

http://seclists.org/oss-sec/2022/q3/108

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Integer overflow

EUVDB-ID: #VU66186

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-36125

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to integer overflow. A remote attacker can pass specially crafted data to the application, trigger an integer overflow and perform a denial of service (DoS) attack.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Apache Avro for Rust: 0.1.0 - 0.13.0

Fixed software versions

CPE2.3

cpe:2.3:a:rust-lang:avro_rs:0.13.0:*:*:*:*:rust:*:*

External links

http://seclists.org/oss-sec/2022/q3/109

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Infinite loop

EUVDB-ID: #VU66185

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-35724

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop. A remote attacker can consume all available system resources and cause denial of service conditions.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Apache Avro for Rust: 0.1.0 - 0.13.0

Fixed software versions

CPE2.3

cpe:2.3:a:rust-lang:avro_rs:0.13.0:*:*:*:*:rust:*:*

External links

http://seclists.org/oss-sec/2022/q3/107

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?